b"VA Office of Inspector General\n                                 OFFICE OF AUDITS & EVALUATIONS\n\n\n\n\n                                                                   Department of \n\n                                                                  Veterans Affairs \n\n                                                                    Federal Information \n\n                                                                   Security Management \n\n                                                                       Act Audit for \n\n                                                                     Fiscal Year 2013 \n\n\n\n\n\n                                                                                      May 29, 2014\n                                                                                       13-01391-72 \n\n\x0c              ACRONYMS AND ABBREVIATIONS\n\n\nCRISP         Continuous Readiness in Information Security Program\nDHS           Department of Homeland Security\nFISMA         Federal Information Security Management Act\nFY            Fiscal Year\nNIST          National Institute of Standards and Technology\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPOA&M         Plans of Action and Milestones\nVA            Veterans Affairs\n\n\n\n\n        To Report Suspected Wrongdoing in VA Programs and Operations: \n\n                            Telephone: 1-800-488-8244 \n\n                            Email: vaoighotline@va.gov\n\n                  (Hotline Information: www.va.gov/oig/hotline) \n\n\x0c        Department of                                            Memorandum\n        Veterans Affairs\n\nDate:    May 15, 2014\n\nFrom:    Assistant Inspector General for Audits and Evaluations (52)\n\nSubj:    VA\xe2\x80\x99s Federal Information Security Management Act Audit for Fiscal Year 2013\n\nTo:      Executive in Charge for Information and Technology (005)\n\n         1.\t Enclosed is the final audit report, Federal Information Security Management Act\n             Audit for Fiscal Year 2013. The Office of Inspector General (OIG) contracted with\n             the independent public accounting firm, CliftonLarsonAllen LLP, to assess the\n             Department of Veterans Affairs\xe2\x80\x99 (VA) information security program in accordance\n             with the Federal Information Security Management Act (FISMA).\n\n         2.\t To ensure the adequacy and effectiveness of information security controls, FISMA\n             requires agency program officials, Chief Information Officers, and Inspectors General\n             to conduct annual reviews of the agency\xe2\x80\x99s information security program and report\n             the results to the Department of Homeland Security (DHS). DHS uses these data to\n             assist in its oversight responsibilities and to prepare an annual report to Congress on\n             agency compliance with FISMA.\n\n         3.\t VA continues to face significant challenges in complying with the requirements of\n             FISMA due to the nature and maturity of its information security program. In order\n             to better achieve FISMA outcomes, VA needs to focus on several key areas\n             including:\n\n         \xef\x82\xb7\t Addressing security-related issues that contributed to the information technology\n            material weakness reported in the fiscal year (FY) 2013 audit of VA\xe2\x80\x99s consolidated\n            financial statements.\n         \xef\x82\xb7\t Remediating high-risk system security issues identified within its Plans of Action and\n            Milestones.\n         \xef\x82\xb7\t Establishing effective processes for evaluating information security controls via\n            continuous monitoring and security vulnerability assessments.\n\n         4.\t CliftonLarsonAllen LLP was contracted to perform the FISMA audit and is\n             responsible for the findings and recommendations included in this report. The OIG\n             does not express an opinion on the effectiveness of VA\xe2\x80\x99s internal controls during\n             FY 2013.\n\n         5.\t This report provides 35 recommendations for improving VA\xe2\x80\x99s information security\n             program; 30 recommendations are included in the report body and\n\x0c   5 recommendations are provided in Appendix A. The appendix addresses the status\n   of prior year recommendations not included in the report body and VA\xe2\x80\x99s plans for\n   corrective action. Some recommendations were modified or not closed because\n   relevant information about security policies and procedures was not finalized or\n   information security control deficiencies were repeated during the FY 2013 FISMA\n   audit.    CliftonLarsonAllen LLP examined whether VA\xe2\x80\x99s corrective actions\n   successfully addressed the outstanding recommendations.\n\n6.\t The effect of these open recommendations needs to be considered in the\n    FY 2014 assessment of VA\xe2\x80\x99s security posture. We remain concerned that\n    continuing delays in implementing effective corrective actions to address these open\n    recommendations can potentially contribute to reporting an IT material weakness\n    from this year\xe2\x80\x99s audit of VA\xe2\x80\x99s Consolidated Financial Statements.\n\n7.\t Our independent auditors will follow up on the outstanding recommendations and\n    evaluate the adequacy of corrective actions during the FY 2014 FISMA audit.\n\n\n\n\nLINDA A. HALLIDAY \n\n\x0c                                                                          CliftonLarsonAllen LLP\n                                                                          11710 Beltsville Drive, Suite 300\n                                                                          Calverton, MD 20705\n                                                                          301-931-2050 | fax 301-931-1710\n                                                                          www.cliftonlarsonallen.com\n\n\n\nApril 18, 2014\n\n\nThe Honorable Richard Griffin\nActing Inspector General\nDepartment of Veterans Affairs\n801 I Street, Northwest\nWashington, DC 20001\n\nDear Mr. Griffin:\n\nAttached is our report on the performance audit we conducted to evaluate the Department of\nVeterans Affairs\xe2\x80\x99 (VA) compliance with the Federal Information Security Management Act of\n2002 (FISMA) for the federal fiscal year ending September 30, 2013 in accordance with\nguidelines issued by the United States Office of Management and Budget (OMB) and applicable\nNational Institute for Standards and Technology (NIST) information security guidelines.\n\nCliftonLarsonAllen LLP was contracted to perform the FISMA audit and is responsible for the\nfindings and recommendations highlighted in the attached report. We conducted this\nperformance audit in accordance with Government Auditing Standards developed by the\nGovernment Accountability Office. This is not an attestation level report as defined under the\nAmerican Institute of Certified Public Accountants standards for attestation engagements. Our\nprocedures were designed to respond to the FISMA-related questions outlined in the OMB\ntemplate for the Inspectors General and evaluate VA\xe2\x80\x99s information security program\xe2\x80\x99s\ncompliance with FISMA requirements and applicable NIST information security guidelines as\ndefined in our audit program. Based on our audit procedures, we conclude that VA continues to\nface significant challenges meeting the requirements of FISMA.\n\nWe have performed the FISMA performance audit, using procedures prepared by\nCliftonLarsonAllen LLP and approved by the Office of the Inspector General (OIG), during the\nperiod April 2013 through November 2013. Had other procedures been performed, or other\nsystems subjected to testing, different findings, results, and recommendations might have been\nprovided. The projection of any conclusions, based on our findings, to future periods is subject to\nthe risk that changes made to the information security program or controls, or the failure to make\nneeded changes to the system or controls may alter the validity of such conclusions.\n\nWe performed limited reviews of the findings, conclusions, and opinions expressed in this report\nthat were related to the financial statement audit performed by CliftonLarsonAllen LLP. The\nfinancial statement audit results have been combined with the FISMA performance audit\nfindings. We do not provide an opinion regarding the results of the financial statement audit\n\x0cresults. In addition to the findings and recommendations, our conclusions related to VA are\ncontained within the OMB FISMA reporting template provided to the OIG in November 2013.\nThe completion of the OMB FISMA reporting template was based on management\xe2\x80\x99s assertions\nand the results of our FISMA test procedures while the OIG determined the status of the prior\nyear recommendations with the support of CliftonLarsonAllen.\n\nThis report is intended solely for those on the distribution list on Appendix F, and is not intended\nto be and should not be used by anyone other than these specified parties.\n\nSincerely,\n\n\nCLIFTONLARSONALLEN LLP\n\n\n\n\nGFF:sgd\xc2\xa0\n\x0c                   Report Highlights: VA\xe2\x80\x99s Federal\n                   Information Security Management Act\n                   Audit for Fiscal Year 2013\n\nWhy We Did This Audit                          implemented procedures to identify and\n                                               remediate system security vulnerabilities on\nThe      Federal    Information     Security   network devices, database and server\nManagement Act (FISMA) requires agency         platforms, and Web applications VA-wide.\nInspectors General to annually assess the\neffectiveness of agency information security   Further,    VA      has     not   remediated\nprograms and practices. Our FY 2013 audit      approximately 6,000 outstanding system\ndetermined the extent to which VA\xe2\x80\x99s            security risks in its corresponding Plans of\ninformation security program complied with     Action and Milestones to improve its overall\nFISMA requirements and applicable              information security posture. As a result of\nNational Institute for Standards and           the FY 2013 consolidated financial\nTechnology guidelines. We contracted with      statement audit, CliftonLarsonAllen LLP\nthe     independent      accounting    firm    concluded a material weakness still exists in\nCliftonLarsonAllen LLP to perform this         VA\xe2\x80\x99s information security program.\naudit.\n                                               What We Recommended\nWhat We Found\n                                               We recommended the Executive in Charge\nVA has made progress developing policies       for Information and Technology implement\nand procedures but still faces challenges      comprehensive measures to mitigate security\nimplementing components of its agency-         vulnerabilities affecting VA\xe2\x80\x99s mission-\nwide information security risk management      critical systems.\nprogram to meet FISMA requirements.\nWhile some improvements were noted,            Agency Comments\nFISMA audits continued to identify\nsignificant deficiencies related to access     The Executive in Charge for Information\ncontrols,     configuration      management    and Technology generally agreed with our\ncontrols, continuous monitoring controls,      findings and recommendations. We will\nand service continuity practices designed to   monitor implementation of the corrective\nprotect mission-critical systems.              action plans.\n\nWeaknesses in access and configuration\nmanagement controls resulted from VA not\nfully    implementing  security   control\nstandards on all servers and network\ndevices.    VA also has not effectively\n\x0c                                           TABLE OF CONTENTS \n\nIntroduction......................................................................................................................................1\n\xc2\xa0\nResults and Recommendations ........................................................................................................2\n\xc2\xa0\n    Finding 1\xc2\xa0             Agency-Wide Risk Management Program .........................................................2\n\xc2\xa0\n                           Recommendations ...............................................................................................5\n\xc2\xa0\n    Finding 2\xc2\xa0             Identity Management and Access Controls ........................................................6\n\xc2\xa0\n                           Recommendations ...............................................................................................7\n\xc2\xa0\n    Finding 3\xc2\xa0             Configuration Management Controls..................................................................9\n\xc2\xa0\n                           Recommendations .............................................................................................10\n\xc2\xa0\n    Finding 4\xc2\xa0             System Development/Change Management Controls ......................................11\n\xc2\xa0\n                           Recommendation...............................................................................................11\n\xc2\xa0\n    Finding 5\xc2\xa0             Contingency Planning .......................................................................................12\n\xc2\xa0\n                           Recommendations .............................................................................................12\n\xc2\xa0\n    Finding 6\xc2\xa0             Incident Response .............................................................................................14\n\xc2\xa0\n                           Recommendations .............................................................................................15\n\xc2\xa0\n    Finding 7\xc2\xa0             Continuous Monitoring .....................................................................................16\n\xc2\xa0\n                           Recommendations .............................................................................................17\n\xc2\xa0\n    Finding 8\xc2\xa0             Security Capital Planning..................................................................................18\n\xc2\xa0\n                           Recommendation...............................................................................................18\n\xc2\xa0\n    Finding 9\xc2\xa0             Contractor Systems Oversight...........................................................................19\n\xc2\xa0\n                           Recommendations .............................................................................................19\n\xc2\xa0\n    Finding 10\xc2\xa0            Security Awareness Training ............................................................................20\n\xc2\xa0\n                           Recommendation...............................................................................................20\n\xc2\xa0\nAppendix A\xc2\xa0                Status of Prior-Year Recommendations ........................................................... 22\n\xc2\xa0\nAppendix B\xc2\xa0                Background ...................................................................................................... 26\n\xc2\xa0\nAppendix C\xc2\xa0                Scope and Methodology................................................................................... 28\n\xc2\xa0\nAppendix D\xc2\xa0                Executive in Charge for Information and Technology Comments .................. 30\n\xc2\xa0\nAppendix E\xc2\xa0                Office of Inspector General Contact and Staff Acknowledgements ................ 41\n\xc2\xa0\nAppendix F\xc2\xa0                Report Distribution .......................................................................................... 42\n\xc2\xa0\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n\n                    INTRODUCTION\nObjective           The objective of this audit was to determine the extent to which VA\xe2\x80\x99s\n                    information security program and practices comply with Federal\n                    Information Security Management Act (FISMA) requirements,\n                    Department of Homeland Security (DHS) reporting requirements, and\n                    applicable Office of Management and Budget (OMB) and National Institute\n                    for Standards and Technology (NIST) guidance. The VA Office of\n                    Inspector General (OIG) contracted with the independent accounting firm\n                    CliftonLarsonAllen LLP to perform the fiscal year (FY) 2013 FISMA audit.\n\nOverview            Information security is a high-risk area Government-wide. Congress\n                    passed the E-Government Act of 2002 (Public Law 107-347) in an\n                    effort to strengthen Federal information security programs and practices.\n                    FISMA provides a comprehensive framework to ensure the effectiveness of\n                    security controls over information resources that support Federal\n                    operations and assets. Audit teams assessed VA\xe2\x80\x99s information security\n                    program through inquiries, observations, and tests of selected controls\n                    supporting 79 major applications and general support systems at 24 VA\n                    facilities. As noted in last year\xe2\x80\x99s FISMA report, the teams identified\n                    specific deficiencies in the following areas:\n\n                    1.      Agency-Wide Risk Management Program\n                    2.      Identity Management and Access Controls\n                    3.      Configuration Management Controls\n                    4.      System Development/Change Management Controls\n                    5.      Contingency Planning\n                    6.      Incident Response\n                    7.      Continuous Monitoring\n                    8.      Security Capital Planning\n                    9.      Contractor Systems Oversight\n                    10.     Security Awareness Training\n\n                    This report provides 35 total recommendations, including three new\n                    recommendations, for improving VA\xe2\x80\x99s information security program.\n                    Thirty recommendations are included in the report body and five\n                    recommendations are provided in Appendix A. The appendix addresses the\n                    status of prior recommendations not included in the report body and VA\xe2\x80\x99s\n                    plans for corrective action. The FY 2012 FISMA report provided\n                    32 recommendations for improvement.\n\n\n\n\nVA Office of Inspector General                                                                   1\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n\n                    RESULTS AND RECOMMENDATIONS\nFinding 1           Agency-Wide Risk Management Program\n\n                    FISMA requires each Federal agency to develop, document, and\n                    implement an agency-wide information security risk management\n                    program. VA has made progress developing policies and procedures as\n                    part of its program. However, VA still faces challenges implementing\n                    components of its agency-wide information security risk management\n                    program to meet FISMA requirements. Consequently, FISMA audits\n                    continue to identify significant deficiencies related to access controls,\n                    configuration management controls, change management controls, and\n                    service continuity practices designed to protect mission-critical systems\n                    from unauthorized access, alteration, or destruction.\n\nProgress Made       In 2007, VA issued VA Directive 6500, Information Security Program,\nWhile               and VA Handbook 6500, Information Security Program, defining the\nChallenges\nRemain\n                    high-level policies and procedures to support its agency-wide information\n                    security risk management program. In FY 2012, VA updated VA\n                    Handbook 6500 to be consistent with revised NIST Special Publications\n                    and to supplement existing VA directives and handbooks. OMB\n                    Memorandum M-14-04, Fiscal Year 2013 Reporting Instructions for the\n                    Federal Information Security Management Act and Agency Privacy\n                    Management, issued in November 2013, provides guidance for Federal\n                    agencies to follow in meeting the report requirements under FISMA.\n\n                    To address annual reporting requirements and ongoing system security\n                    weaknesses, VA launched a Continuous Readiness in Information Security\n                    Program (CRISP) in FY 2012. The program is intended to improve access\n                    controls, configuration management, contingency planning, and the security\n                    management of a large number of information technology systems. VA also\n                    established a CRISP core team to oversee this initiative and resolve the\n                    information security material weakness related to information technology\n                    security controls, as reported in VA\xe2\x80\x99s annual audit of its consolidated\n                    financial status. As a result of the CRISP initiative, we noted improvements\n                    related to:\n\n                    \xef\x82\xb7\t      Providing consistent training for both role-based and security\n                            awareness\xc2\xa0\n                    \xef\x82\xb7\t      Testing contingency plans \xc2\xa0\n                    \xef\x82\xb7\t      Reducing the number of individuals with outdated background\n                            investigations\xc2\xa0\n                    \xef\x82\xb7\t      Improving data center Web application security\xc2\xa0\n\n\n\nVA Office of Inspector General                                                                   2\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    \xef\x82\xb7\t      Implementing predictive scanning that allows for the identification of\n                            vulnerabilities across field offices\n                    \xef\x82\xb7\t      Implementing an IT governance, risk, and compliance tool to\n                            improve processes for assessing, authorizing, and monitoring the\n                            security posture of VA systems\n\n                    However, these controls require time to mature and show evidence of their\n                    effectiveness. Accordingly, we continue to see information system security\n                    deficiencies similar in type and risk level to our findings in prior years and\n                    an overall inconsistent implementation of the security program. Moving\n                    forward, VA needs to ensure a proven process is in place across the agency.\n                    VA also needs to continue to address control deficiencies that exist in other\n                    areas across all VA locations. While VA has made progress updating risk\n                    management policies and procedures, our FISMA audits identified\n                    deficiencies related to VA\xe2\x80\x99s risk management strategy, Plans of Action and\n                    Milestones (POA&Ms), and system security plans\xe2\x80\x94all are discussed in the\n                    following section. Each of these processes is vital for protecting VA\xe2\x80\x99s\n                    mission-critical systems through appropriate risk mitigation strategies.\n\nRisk                VA has not fully developed and implemented components of its agency-wide\nManagement          information security risk management program to meet FISMA\nStrategy\n                    requirements.      VA has established an enterprise risk management\n                    framework; however, security risks were not communicated to the data\n                    centers, regional offices, and medical facilities we visited. Additionally, VA\n                    has not ensured that its information security controls are effectively\n                    monitored on an ongoing basis to include documenting significant changes to\n                    the system, conducting security impact analyses for system changes, and\n                    reporting system changes to designated organizational officials. Risk\n                    assessments were not properly updated as they included references to\n                    inaccurate system environment information.            Further, some security\n                    self-assessments were not performed annually in accordance with FISMA\n                    requirements.\n\n                    NIST SP 800-37, Guide for Applying the Risk Management Framework to\n                    Federal Information Systems: A Security Life Cycle Approach, states that an\n                    agency\xe2\x80\x99s risk management framework should address \xe2\x80\x9crisk from an\n                    organizational perspective with the development of a comprehensive\n                    governance structure and organization-wide risk management strategy.\xe2\x80\x9d VA\n                    recently updated its VA Handbook 6500 to provide guidelines on how to\n                    comply with revised risk management requirements. Additionally, VA is\n                    implementing a risk governance structure, including a Risk Management\n                    Governance Board, to monitor system security risks and implement risk\n                    mitigation controls across the enterprise. Until this effort is complete,\n                    enterprise-wide risks may not be fully identified or mitigated with\n                    appropriate risk mitigation strategies.\n\n\n\n\nVA Office of Inspector General                                                                   3\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nPlans of            OMB Memorandum M-02-01, Guidance for Preparing and Submitting\nAction and          Security Plans of Action and Milestones, defines management and reporting\nMilestones\n                    requirements for agency POA&Ms, including deficiency descriptions,\n                    remediation actions, required resources, and responsible parties. According\n                    to data available from VA\xe2\x80\x99s central reporting database, VA has\n                    approximately 6,000 open POA&Ms in FY 2013 compared with 4,000 open\n                    corrective actions in FY 2012. POA&Ms identify which actions must be\n                    taken to remediate system security risks and improve VA\xe2\x80\x99s information\n                    security posture.\n\n                    VA did not include prior year information security POA&Ms within its\n                    legacy central reporting database because of a planned transition to a new\n                    centralized Governance, Risk, and Compliance monitoring and reporting\n                    system. In the interim, the Office of Information Technology established a\n                    SharePoint site to track prior year findings and corrective actions. However,\n                    VA does not have an accurate representation of total POA&Ms since it has\n                    not added any new corrective actions to its central database since\n                    March 2012.\n\n                    VA has made progress in updating POA&Ms in a timely manner across VA\n                    sites and systems. Despite these improvements, audit teams continue to\n                    identify deficiencies related to reporting, managing, and closing POA&Ms.\n                    For example, audit teams identified POA&Ms that lacked sufficient\n                    documentation to justify closure, action items that missed major milestones,\n                    and items that were not updated to accurately reflect their current status. In\n                    addition, many POA&Ms were closed based upon Executive Decision\n                    Memoranda or Risk-Based Decision Memoranda. However, system security\n                    risks that still remain as the underlying weaknesses have not been fully\n                    remediated.\n\n                    POA&M deficiencies resulted from a lack of accountability for closing\n                    items and a lack of controls to verify supporting documentation had been\n                    added to the central database. Furthermore, unclear responsibility for\n                    addressing POA&M records at the \xe2\x80\x9clocal\xe2\x80\x9d level continues to adversely affect\n                    remediation efforts across the enterprise. By failing to fully remediate\n                    significant system security risks in the near term, VA management cannot\n                    ensure that information security controls will protect VA systems\n                    throughout their life cycles. Without sufficient documentation in the\n                    central database to justify closure of POA&Ms, VA cannot ensure that\n                    corresponding security risks have been fully mitigated.\n\nSystem              Audit teams continue to identify system security plans with inaccurate\nSecurity Plans      information regarding operational environments including system\n                    interconnections and compensating information security controls. VA\n                    Handbook 6500, Appendix D provides guidelines on maintaining and\n                    updating system security plans for major applications and general support\n                    systems. Because of deficiencies in this area, system owners may not fully\n\n\nVA Office of Inspector General                                                                   4\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    identify relative boundaries, interdependencies, compensating information\n                    security controls, and security risks affecting mission-critical systems.\n\n                    Recommendations\n\n                    1.\t     We recommended the Executive in Charge for Information and\n                            Technology fully develop and implement an agency-wide risk\n                            management governance structure, along with mechanisms to\n                            identify, monitor, and manage risks across the enterprise. (This is\n                            a repeat recommendation from last year.)\n\n                    2.\t     We recommended the Executive in Charge for Information and\n                            Technology implement mechanisms to ensure sufficient\n                            supporting documentation is captured in the central database to\n                            justify closure of Plans of Action and Milestones. (This is a\n                            repeat recommendation from last year.)\n\n                    3.\t     We recommended the Executive in Charge for Information and\n                            Technology define and implement clear roles and responsibilities\n                            for developing, maintaining, completing, and reporting Plans of\n                            Action and Milestones. (This is a repeat recommendation from last\n                            year.)\n\n                    4.\t     We recommended the Executive in Charge for Information and\n                            Technology implement mechanisms to ensure Plans of Action\n                            and Milestones are updated to accurately reflect current status\n                            information. (This is a repeat recommendation from last year.)\n\n                    5.\t     We recommended the Executive in Charge for Information and\n                            Technology develop mechanisms to ensure system security plans\n                            reflect current operational environments, including accurate\n                            system interconnection and ownership information. (This is a\n                            repeat recommendation from last year.)\n\n                    6.\t     We recommended the Executive in Charge for Information and\n                            Technology implement improved processes for updating key\n                            security documents such as risk assessments, security impact\n                            analyses, and security self-assessments on at least an annual basis\n                            and ensure all required information accurately reflects the current\n                            environment. (This is a repeat recommendation from last year.\n\n\n\n\nVA Office of Inspector General                                                                   5\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 2           Identity Management and Access Controls\n\n                    Audit teams identified significant deficiencies in VA\xe2\x80\x99s identity\n                    management and access controls. VA Handbook 6500, Appendixes D and F,\n                    provides comprehensive guidelines for authenticating users and protecting\n                    VA\xe2\x80\x99s critical systems from unauthorized access, alteration, or destruction.\n                    Our FISMA audit identified significant information security control\n                    deficiencies in the following areas:\n\n                    \xef\x82\xb7   Password Management\xc2\xa0\n                    \xef\x82\xb7   Access Management\xc2\xa0\n                    \xef\x82\xb7   Audit Trails\xc2\xa0\n                    \xef\x82\xb7   Remote Access \xc2\xa0\n\nPassword            While VA Handbook 6500, Appendix F establishes password management\nManagement          standards for authenticating VA system users, our audit teams\n                    continued to identify multiple password management vulnerabilities. For\n                    example, the teams found a significant number of weak passwords on major\n                    databases, applications, and networking devices at most VA facilities.\n                    Additionally, password parameter settings for network domains, databases,\n                    key financial applications, and servers were not consistently configured to\n                    enforce VA\xe2\x80\x99s password policy standards.\n\n                    While some improvements have been made, we continue to identify security\n                    weaknesses that were not remediated from prior years. Many of these\n                    weaknesses can be attributed to VA\xe2\x80\x99s ineffective enforcement of its\n                    agency-wide information security risk management program and\n                    ineffective communication from senior management to the individual field\n                    offices. The use of weak passwords is a well-known security vulnerability\n                    that allows malicious users to easily gain unauthorized access to\n                    mission-critical systems.\n\nAccess              VA Handbook 6500, Appendix D details access management policies and\nManagement          procedures for VA\xe2\x80\x99s information systems. However, reviews of permission\n                    settings identified numerous instances of unnecessary system privileges,\n                    excessive and unauthorized user accounts, accounts without formal access\n                    authorizations, and active accounts for terminated employees. User access\n                    requests were not consistently reviewed to eliminate conflicting roles and\n                    enforce segregation of duties principles. Additionally, we noted inconsistent\n                    monitoring of access in production environments for individuals with\n                    excessive privileges within major applications. This occurred because VA has\n                    not implemented effective reviews to eliminate instances of unauthorized\n                    system access and excessive permissions. Periodic reviews are critical to\n                    restrict legitimate users to specific systems, programs, and data and to prevent\n                    unauthorized access by both internal and external users. Unauthorized access\n\n\nVA Office of Inspector General                                                                    6\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    to critical systems can leave sensitive data vulnerable to inappropriate\n                    modification or destruction.\n\nAudit Trails        VA did not consistently review security violations and audit logs supporting\n                    mission-critical systems. VA Handbook 6500, Appendix D provides\n                    high-level policy and procedures for collection and review of system audit\n                    logs. However, most VA facilities did not have audit policy settings\n                    configured on major systems and had not implemented automated\n                    mechanisms needed to periodically monitor systems audit logs. Audit log\n                    reviews are critical for security-related activities, such as determining\n                    individual accountability, reconstructing security events, detecting intruders,\n                    and identifying system performance issues.\nRemote              VA lacks a consistent process for managing remote access to VA\nAccess              networks. VA does not have policies that provide reasonable\n                    assurance of restricting privileged remote access from foreign\n                    countries that may pose a significant security risk to VA systems. In\n                    addition, multi-factor authentication for remote access has not been\n                    fully implemented across the agency.           VA Handbook 6500,\n                    Appendix D establishes high-level policy and procedures for\n                    managing remote connections.\n\n                    VA personnel can remotely log onto VA networks using several\n                    virtual private network applications for encrypted remote access.\n                    However, one specific application does not ensure end-user computers are\n                    updated with current system security patches and antivirus signatures\n                    before users remotely connect to VA networks. Although the remote\n                    connections are encrypted, end-user computers could be infected with\n                    malicious viruses or worms, which can easily spread to interconnected\n                    systems. VA is migrating most remote users to virtual private network\n                    solutions that will better protect end-user computers through automated\n                    system updates. Moving forward, VA needs to fully implement\n                    multi-factor authentication for remote access and ensure that all remote\n                    users\xe2\x80\x99 computers are adequately protected from secure locations before\n                    connecting to VA networks.\n\n                    Recommendations\n\n                    7.\t     We recommended the Executive in Charge for Information and\n                            Technology implement mechanisms to enforce VA password\n                            policies and standards on all operating systems, databases,\n                            applications, and network devices.      (This is a repeat\n                            recommendation from last year.)\n\n                    8.\t     We recommended the Executive in Charge for Information and\n                            Technology implement periodic access reviews to minimize\n                            access by system users with incompatible roles, permissions in\n\n\nVA Office of Inspector General                                                                   7\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                            excess of required functional responsibilities, and excessive or\n                            unauthorized accounts. (This is a modified repeat recommendation\n                            from last year.)\n\n                    9.\t     We recommended the Executive in Charge for Information and\n                            Technology enable system audit logs and conduct centralized\n                            reviews of security violations on mission-critical systems. (This\n                            is a repeat recommendation from last year.)\n\n                    10.\t    We recommended the Executive in Charge for Information and\n                            Technology implement mechanisms to ensure all remote access\n                            computers have updated security patches and antivirus definitions\n                            prior to connecting to VA information systems. (This is a repeat\n                            recommendation from last year.)\n\n                    11.\t    We recommended the Executive in Charge for Information and\n                            Technology implement two-factor authentication for remote\n                            access throughout the agency. (This is a repeat recommendation\n                            from last year.)\n\n                    12.\t    We recommended the Executive in Charge for Information and\n                            Technology develop and implement policies and procedures for\n                            restricting privileged remote access from foreign countries that\n                            may pose a significant security risk to VA systems. (This is a new\n                            recommendation.)\n\n\n\n\nVA Office of Inspector General                                                                   8\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 3           Configuration Management Controls\n\n                    Audit teams continue to identify significant deficiencies in configuration\n                    management controls designed to ensure VA\xe2\x80\x99s critical systems have\n                    appropriate security baselines and up-to-date vulnerability patches\n                    implemented. VA Handbook 6500, Appendix D provides high-level policy\n                    guidelines regarding mandatory configuration settings for information\n                    technology hardware, software, and firmware. However, testing identified\n                    unsecure Web application servers, excessive permissions on database\n                    platforms, a significant number of outdated and vulnerable third-party\n                    applications and operating system software, and a lack of common platform\n                    security standards across the enterprise.\n\nUnsecure Web        Audits of Web-based applications identified instances of VA data\nApplications        facilities hosting unsecure Web-based services that could allow\n                    malicious users to gain unauthorized access to VA information systems.\n                    NIST Special Publication 800-44, Version 2, Guidelines on Securing Public\n                    Web Servers, recommends \xe2\x80\x9cOrganizations should implement appropriate\n                    security management practices and controls when maintaining and operating\n                    a secure Web server.\xe2\x80\x9d Despite the guidelines, VA has not implemented\n                    effective controls to identify and remediate security weaknesses on its Web\n                    applications. VA has mitigated some information system security risks\n                    from the Internet through the use of network filtering appliances.\n                    However, VA\xe2\x80\x99s internal network remains susceptible to attack from\n                    malicious users who could exploit vulnerabilities and gain unauthorized\n                    access to VA information systems.\n\nUnsecure            Database vulnerability audits continue to identify a significant number of\nDatabase            unsecure configuration settings that could allow any database user to gain\nApplications\n                    unauthorized access to critical system information. NIST Special\n                    Publication 800-64, Revision 1, Security Considerations in the Information\n                    System Development Life Cycle, states that configuration management and\n                    control procedures are critical to establishing an initial baseline of\n                    hardware, software, and firmware components for the information system.\n                    VA has not implemented effective controls to identify and remediate\n                    security weaknesses on databases hosting mission-critical applications.\n                    Unsecure database configuration settings can allow any database user to\n                    gain unauthorized access to critical systems information.\n\nApplication         Network vulnerability audits again identified a significant number of\nand System          outdated operating systems and vulnerable third-party applications that\nSoftware            could allow unauthorized access to mission-critical systems and data.\nVulnerabilities\n                    NIST Special Publication 800-40, Version 2, Creating a Patch and\n                    Vulnerability Management Program, states an agency\xe2\x80\x99s patch and\n                    vulnerability management program should be integrated with configuration\n                    management to ensure efficiency. VA has not implemented effective\n\n\n\nVA Office of Inspector General                                                                   9\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    controls to identify and remediate security weaknesses associated with\n                    outdated third-party applications and operating system software.\n                    Deficiencies in VA\xe2\x80\x99s patch and vulnerability management program could\n                    allow malicious users unauthorized access to mission-critical systems and\n                    data. By implementing a robust patch and vulnerability management\n                    program, VA could effectively remediate vulnerabilities identified in\n                    operating systems, databases, applications, and other network devices.\n\nBaseline            VA is developing guidelines to define agency-wide security configuration\nSecurity            baselines for its major information system components. FISMA, Section\nConfigurations\n                    3544 requires each agency to establish minimally acceptable system\n                    configuration requirements and ensure compliance. However, we noted\n                    that common platform security standards were not consistently\n                    implemented on all VA systems. For example, testing at VA facilities\n                    revealed varying levels of compliance, ranging from 78 to 98 percent, with\n                    United States Government Configuration Baseline standards for end-user\n                    systems. Testing also identified numerous network devices not configured\n                    to a common security configuration standard, resulting in default network\n                    services, excessive permissions, weak administrator passwords, and\n                    outdated versions of the network operating system. By not implementing\n                    consistent agency-wide configuration management standards for major\n                    applications and general support systems, VA is placing critical systems at\n                    unnecessary risk of unauthorized access, alteration, or destruction.\n\n                    Recommendations\n\n                    13.\t    We recommended the Executive in Charge for Information and\n                            Technology implement effective automated mechanisms to\n                            continuously identify and remediate security deficiencies on\n                            VA\xe2\x80\x99s network infrastructure, database platforms, and Web\n                            application servers. (This is a repeat recommendation from last\n                            year.)\n\n                    14.\t    We recommended the Executive in Charge for Information and\n                            Technology implement a patch and vulnerability management\n                            program to address security deficiencies identified during our\n                            audits of VA\xe2\x80\x99s Web applications, database platforms, network\n                            infrastructure, and work stations. (This is a repeat recommendation\n                            from last year.)\n\n                    15.\t    We recommended the Executive in Charge for Information and\n                            Technology implement standard security configuration baselines\n                            for all VA operating systems, databases, applications, and\n                            network devices. (This is a repeat recommendation from last\n                            year.)\n\n\n\n\nVA Office of Inspector General                                                                  10\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 4           System Development/Change Management Controls\n\n                    VA has not fully implemented procedures to enforce standardized\n                    system development and change management controls for\n                    mission-critical systems. Our audit teams continued to identify software\n                    changes to mission-critical systems and infrastructure network devices that\n                    did not follow standardized software change control procedures.\n\n                    FISMA, Section 3544 requires establishing policies and procedures to\n                    ensure information security is addressed throughout the life cycle of each\n                    agency information system. VA Handbook 6500.5, Incorporating Security\n                    and Privacy into the System Development Life Cycle, also discusses\n                    integrating information security controls and privacy throughout the life\n                    cycle of each system.\n\n                    Further, numerous test plans, test results, and approvals were either\n                    incomplete or missing. By not enforcing a standardized change control\n                    methodology, system development projects may be inconsistently\n                    developed, tested, and migrated into production, placing VA systems at\n                    risk of unauthorized or unintended software modifications.\n\n                    Recommendation\n\n                    16.\t    We recommended the Executive in Charge for Information and\n                            Technology implement procedures to enforce a system\n                            development and change control framework that integrates\n                            information security throughout the life cycle of each system.\n                            (This is a repeat recommendation from last year.)\n\n\n\n\nVA Office of Inspector General                                                                  11\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 5           Contingency Planning\n\n                    Overall, we noted an improvement in contingency plan testing since our\n                    FY 2012 audit. However, VA contingency plans still were not fully\n                    documented and test results were not consistently communicated to senior\n                    management. VA Handbook 6500, Appendix D establishes high-level\n                    policy and procedures for contingency planning and plan testing. Our\n                    audit identified the following deficiencies related to contingency planning:\n\n                    \xef\x82\xb7\t      Many Information System Contingency Plans had not been updated\n                            to reflect lessons learned from contingency and disaster recovery\n                            tests, provide detailed recovery procedures for all system priority\n                            components, or reflect current operating conditions.\xc2\xa0\n                    \xef\x82\xb7\t      Alternate processing site agreements between the regional offices and\n                            Information Technology Centers were not in place to ensure all\n                            parties are aware of respective responsibilities in the event of a\n                            disaster.\xc2\xa0\n                    \xef\x82\xb7\t      Backup tapes for mission-critical systems were not encrypted prior to\n                            being sent offsite for storage. \xc2\xa0\n                    \xef\x82\xb7\t      A significant data loss occurred at the Austin Information\n                            Technology Center due to inadequate backup and change\n                            management procedures. \xc2\xa0\n\n                    Incomplete documentation of test plans, test results, and alternate\n                    processing site agreements prevent timely restoration of services in the\n                    event of system disruption or disaster. Inadequate backup testing leads to\n                    critical system failures. Inadequate communication of test results may also\n                    prevent lessons learned from being recognized and adopted. Moreover, by\n                    not encrypting backup tapes, VA is at risk of potential data theft or\n                    unauthorized disclosure of sensitive data.\n\n                    In October 2011, VA implemented the Office of Information and\n                    Technology Annual Security Calendar requiring all Information System\n                    Contingency and Disaster Recovery Plans to be updated on an annual\n                    basis. However, updated plans continue to have weaknesses similar to\n                    those noted in FY 2012.\n\n                    Recommendations\n\n                    17.\t    We recommended the Executive in Charge for Information and\n                            Technology implement processes to ensure information system\n                            contingency plans are updated with the required information and\n                            lessons learned are communicated to senior management. (This is\n                            a repeat recommendation from last year.)\n\n\n\nVA Office of Inspector General                                                                  12\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    18.\t    We recommended the Executive in Charge for Information and\n                            Technology develop and implement a process for ensuring the\n                            encryption of backup data prior to transferring the data offsite.\n                            (This is a repeat recommendation from last year.)\n\n                    19.\t    We recommended the Executive in Charge for Information and\n                            Technology ensure that agreements for alternate processing sites\n                            have been established that define the roles and responsibilities for\n                            alternate locations in the event of a disaster. (This is a repeat\n                            recommendation from last year.)\n\n                    20.\t    We recommended the Executive in Charge for Information and\n                            Technology review change management procedures to ensure\n                            that any changes to system backup procedures are appropriately\n                            tested, validated, documented, and approved. (This is a new\n                            recommendation.)\n\n\n\n\nVA Office of Inspector General                                                                  13\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 6           Incident Response\n\n                    VA is unable to monitor all external interconnections and internal network\n                    segments for malicious traffic or unauthorized systems access attempts.\n                    FISMA, Section 3544 requires each agency to develop and implement an\n                    agency-wide information security program containing specific procedures for\n                    detecting, reporting, and responding to computer security incidents. Audit\n                    teams identified deficiencies with VA\xe2\x80\x99s security incident management and\n                    external network monitoring processes.\n\n                    VA performs significant monitoring of its known Internet gateways to\n                    identify and respond to computer security events and potential network\n                    intrusions. This monitoring includes some event correlation, which ties\n                    multiple entries together to identify larger trends, intrusions, or intrusion\n                    attempts. However, VA has not fully implemented security information\n                    and event management technologies needed for effective event\n                    correlation analysis. VA does not have automated 24-hour security alert\n                    capability for all platforms and databases hosted at its Information\n                    Technology Centers. Furthermore, VA did not provide the OIG\xe2\x80\x99s Office of\n                    Audits and Evaluations with timely notifications of network intrusions and\n                    system compromises.\n\n                    To improve incident management, VA\xe2\x80\x99s Network Security Operations\n                    Center continues to implement its Trusted Internet Connection initiative to\n                    identify all system interconnections and consolidate them into four VA\n                    gateways. Although progress has been made in cataloging the many\n                    interconnections for monitoring purposes, unknown and unmonitored\n                    connections still exist. In addition, our audit teams continued to identify\n                    several system interconnections without valid Interconnection Security\n                    Agreements and Memoranda of Understanding to govern them.\n                    Ineffective monitoring of external network interconnections could prevent\n                    VA from detecting and responding to intrusion attempts in a timely manner.\n\n                    Our audit continued to identify numerous high-risk computer security\n                    incidents, including malware infections that were not remediated in a timely\n                    manner. Specifically, we noted a high number of malware security incident\n                    tickets that took more than 30 days to remediate and close. While VA\xe2\x80\x99s\n                    performance has improved from the prior year, the process for tracking\n                    higher risk tickets remained inefficient, and some computer security\n                    incidents were not remediated. By contrast, NIST Special Publication\n                    800-61, Computer Security Incident Handling Guide, provides examples of\n                    computer security incident response times ranging from 15 minutes to\n                    4 hours, based on criticality of the incidents. The guide also recommends\n                    that organizations develop their own incident response times based on\n                    organizational needs and the criticality of resources affected by the security\n                    incidents.\n\n\n\nVA Office of Inspector General                                                                  14\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    Recommendations\n\n                    21.\t    We recommended the Executive in Charge for Information and\n                            Technology fully implement an automated 24-hour security event and\n                            incident correlation solution to monitor security for all systems\n                            interconnections, database security events, and mission-critical\n                            platforms supporting VA programs and operations. (This is a repeat\n                            recommendation from last year.)\n\n                    22.\t    We recommended the Executive in Charge for Information and\n                            Technology identify all external network interconnections and\n                            ensure appropriate Interconnection Security Agreements and\n                            Memoranda of Understanding are in place to govern them. (This\n                            is a repeat recommendation from last year.)\n\n                    23.\t    We recommended the Executive in Charge for Information and\n                            Technology implement more effective agency-wide incident response\n                            procedures to ensure timely resolution of computer security incidents\n                            in accordance with VA set standards.           (This is a repeat\n                            recommendation from last year.)\n\n                    24.\t    We recommended the Executive in Charge for Information and\n                            Technology provide the Office of Inspector General with timely and\n                            formal notifications of network intrusions and system compromises\n                            in accordance with the Federal Information Security Management\n                            Act. (This is a new recommendation.)\n\n\n\n\nVA Office of Inspector General                                                                  15\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 7           Continuous Monitoring\n\n                    VA lacks an effective continuous monitoring process to identify\n                    unsecure system configurations and perform automated monitoring for\n                    unauthorized software and hardware devices. In addition, VA has not\n                    defined an inventory of authorized hardware and software nor implemented\n                    processes for removing unauthorized software on its systems. NIST Special\n                    Publication 800-53, Revision 3, Recommended Security Controls\n                    for Federal Information Systems and Organizations, outlines the\n                    importance of deploying automated mechanisms to detect\n                    unauthorized components and configurations within agency networks.\n\n                    Because of inadequate VA monitoring procedures, our technical\n                    testing continued to identify significant deficiencies with\n                    configuration     management     controls    designed      to     protect\n                    mission-critical systems from unauthorized access, alteration, or\n                    destruction. For instance, our testing identified unsecure Web\n                    application servers, excessive permissions on database platforms, a\n                    significant number of outdated third-party applications and operating\n                    system software, and inconsistent platform security standards across\n                    the enterprise. Without monitoring software and applications installed on\n                    VA devices, employees may introduce potentially dangerous software and\n                    malware into the VA computing environment.\n\n                    To better meet continuous monitoring requirements, VA\xe2\x80\x99s Information\n                    Security Continuous Monitoring program\xe2\x80\x99s Concept of Operations\n                    established a centralized, enterprise information technology\n                    framework that supports operational security demands for protection\n                    of critical information. This framework is based on guidance from\n                    Continuous Monitoring Workgroup activities sponsored by DHS and\n                    the Department of State. The Office of Cyber Security continues to\n                    develop and implement Continuous Monitoring processes to better\n                    protect VA systems. The goal of the Information Security Continuous\n                    Monitoring program is to examine the enterprise to develop a real-time\n                    analysis of actionable risks that may adversely impact mission-critical\n                    systems.\n\n                    VA has improved systems and data security control protections by\n                    implementing technological solutions, such as secure remote access,\n                    application filtering, and portable storage device encryption. Further, VA\n                    is deploying various software and configuration monitoring tools to VA\n                    facilities as part of its \xe2\x80\x9cVisibility to Server\xe2\x80\x9d and \xe2\x80\x9cVisibility to Desktop\xe2\x80\x9d\n                    initiatives. However, VA has not fully implemented the tools necessary to\n                    inventory the software components supporting critical programs and\n                    operations. Incomplete inventories of critical software components can\n                    hinder patch management processes and restoration of critical services in the\n\n\n\nVA Office of Inspector General                                                                  16\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    event of a system disruption or disaster. Additionally, our testing revealed\n                    that VA facilities had not made effective use of these tools to actively\n                    monitor their networks for unauthorized software, hardware devices, and\n                    system configurations.\n\n                    Recommendations\n\n                    25.\t    We recommended the Executive in Charge for Information and\n                            Technology develop a listing of approved software and\n                            implement continuous monitoring processes to identify and\n                            prevent the use of unauthorized application software, hardware,\n                            and system configurations on its networks. (This is a modified\n                            repeat recommendation from last year.)\n\n                    26.\t    We recommended the Executive in Charge for Information and\n                            Technology develop a comprehensive software inventory process to\n                            identify major and minor software applications used to support VA\n                            programs and operations. (This is a modified repeat recommendation\n                            from last year.)\n\n\n\n\nVA Office of Inspector General                                                                  17\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 8           Security Capital Planning\n\n                    VA has not implemented processes to fully account for security-related\n                    costs within its capital planning and investment control budget process.\n                    As a result, the audit team was unable to trace Plans of Action and\n                    Milestones (POA&Ms) remediation costs to corresponding Exhibit 300s\n                    for certain mission-critical systems. NIST Special Publication 800-65,\n                    Integrating IT Security into the Capital Planning and Investment Control\n                    Process, states \xe2\x80\x9cthe POA&M process provides a direct link to the capital\n                    planning process.\xe2\x80\x9d On October 17, 2001, OMB issued Memorandum\n                    M-02-01, Guidance for Preparing and Submitting Security Plans of Action\n                    and Milestones, stating \xe2\x80\x9cfor each POA&M that relates to a project\n                    (including systems) for which a capital asset plan and justification\n                    (exhibit 300) was submitted or was a part of the exhibit 53, the unique\n                    project identifier must be reflected on the POA&M.\xe2\x80\x9d\n\n                    In line with this Federal guidance, VA policy requires that security be\n                    included within the capital planning process. However, VA-specific\n                    guidance for integrating security into the budgeting process does not exist.\n                    Consequently, VA lacks procedures to ensure traceability of POA&M\n                    remediation costs to Exhibit 300s. For the future, guidance is needed to\n                    ensure security-related needs are consistently evaluated and integrated\n                    into the capital planning budget process in accordance with set standards.\n                    Without specific guidance, VA cannot ensure that information security is\n                    integrated throughout the system life cycle and adequate funding is\n                    budgeted to meet information security requirements.\n\n                    Recommendation\n\n                      27. We recommended the Executive in Charge for Information and\n                          Technology develop guidance and procedures to integrate information\n                          security costs into the capital planning process while ensuring\n                          traceability of Plans of Action and Milestones remediation costs to\n                          appropriate capital planning budget documents. (This is a repeat\n                          recommendation from last year.)\n\n\n\n\nVA Office of Inspector General                                                                  18\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 9           Contractor Systems Oversight\n\n                    In FY 2013, VA did not fully implement contractor oversight procedures as\n                    required by FISMA. According to FISMA, Section 3544, an agency should\n                    ensure adequate information security for systems that support its\n                    operations, including those provided by another agency, contractor, or other\n                    source. In addition, VA Handbook 6500.6, Contract Security, provides\n                    detailed guidance on contractor systems oversight and establishment\n                    of security requirements for all VA contracts involving sensitive VA\n                    information. Despite these requirements, our audit disclosed several\n                    deficiencies in VA\xe2\x80\x99s contractor oversight activities in FY 2013. Specifically:\n\n                    \xef\x82\xb7\t VA did not provide \xe2\x80\x9cAuthorizations to Operate\xe2\x80\x9d for selected\n                       contractor-managed systems, formally acknowledging existing system\n                       security risks and security controls.\xc2\xa0\n                    \xef\x82\xb7\t VA did not provide evidence that contractor system security controls\n                       were appropriate. \xc2\xa0\n                    \xef\x82\xb7\t VA did not provide an annual inventory of contractor systems, including\n                       system interfaces and interconnection agreements.\xc2\xa0\n                    \xef\x82\xb7\t VA does not have adequate controls for monitoring cloud computing\n                       systems hosted by external contractors. \xc2\xa0\n\n                    Without implementing effective oversight mechanisms, VA cannot ensure\n                    that contractor security controls adequately protect sensitive systems and\n                    data in accordance with its information security requirements.\n\n                    Recommendations\n\n                    28.\t    We recommended the Executive in Charge for Information and\n                            Technology       implement     procedures       for overseeing\n                            contractor-managed, cloud-based systems, ensuring OIG access\n                            to those systems, and ensuring information security controls\n                            adequately protect VA sensitive systems and data. (This is a\n                            modified repeat recommendation from last year.)\n\n                    29.\t    We recommended the Executive in Charge for Information and\n                            Technology implement mechanisms for updating the Federal\n                            Information Security Management Act systems inventory, including\n                            contractor-managed systems and interfaces, and annually review the\n                            systems inventory for accuracy. (This is a repeat recommendation\n                            from last year.)\n\n\n\n\nVA Office of Inspector General                                                                  19\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nFinding 10          Security Awareness Training\n\n                    As part of the CRISP initiative, we noted improvements in providing users\n                    with required role-based and security awareness training. However, VA has\n                    not fully implemented automated processes to track security awareness\n                    training for residents, volunteers, and contractors at all VA facilities. As a\n                    result, our testing identified personnel who had not completed VA\xe2\x80\x99s security\n                    awareness training at some VA facilities. VA Handbook 6500, Appendix D\n                    establishes high-level policy and procedures for VA\xe2\x80\x99s security awareness\n                    training program, requiring all users of sensitive information to annually\n                    complete VA\xe2\x80\x99s security awareness training.\n\n                    VA uses the Talent Management System, an online training system, to\n                    provide user access to a number of online training resources and track\n                    required security awareness and other training for VA employees and\n                    contractors. However, VA relies on manual processes to track fulfillment of\n                    training requirements by residents and volunteers, as automated tracking\n                    mechanisms have not been fully implemented. Without automated tracking\n                    to support centralized monitoring of user training, management cannot\n                    ensure that these personnel complete the annual security awareness training\n                    requirements. Computer security awareness training is essential to help\n                    employees and contractors understand their information security and privacy\n                    responsibilities.\n\n                    Recommendation\n\n                    30.\t    We recommended the Executive in Charge for Information and\n                            Technology implement mechanisms to ensure all users with VA\n                            network access participate in and complete required VA-sponsored\n                            security awareness training. (This is a repeat recommendation from\n                            last year.)\n\nSummary of          The Executive in Charge for Information and Technology generally\nResponse            concurred with the 30 findings and recommendations provided in the main\nFrom the\nExecutive in\n                    body of this report and prepared a response, which is presented in\nCharge for          Appendix D. In his comments, the Executive in Charge for Information and\nInformation         Technology stated that VA has implemented a Governance, Risk and\nTechnology          Compliance tool as a major element of its agency-wide risk management\n                    governance program. This tool is intended to provide real-time monitoring\n                    of VA\xe2\x80\x99s system security posture as well as ensure that Plans of Action and\n                    Milestones are updated with current information. In general, management\xe2\x80\x99s\n                    comments and corrective action plans are responsive to the\n                    30 recommendations. However, the responses to Recommendations 11 and\n                    18 were not adequate as they did not provide clear corrective action plans\n                    and target completion dates.\n\n\n\nVA Office of Inspector General                                                                  20\n\x0c                                  VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    Further, the Executive in Charge for Information and Technology stated that\n                    he intended to provide responses to the five prior-year recommendations in\n                    Appendix A after performing a review of ongoing corrective actions.\n                    Similar to responses provided over the past several years, management\xe2\x80\x99s\n                    approach to addressing these open prior-year recommendations is\n                    inadequate. We remain concerned that continuing delays in implementing\n                    effective corrective actions by estimated completion dates to address these\n                    open recommendations can potentially contribute to reporting an IT\n                    material weakness from this year\xe2\x80\x99s audit of VA\xe2\x80\x99s Consolidated Financial\n                    Statements. Following is our assessment of the status of VA\xe2\x80\x99s corrective\n                    actions to address each open prior-year recommendation in Appendix A:\n\n                    \xef\x82\xb7\t       FY 2010\xe2\x80\x9321: The status of corrective actions is unclear as VA did\n                             not describe actions taken to ensure risk assessments accurately\n                             reflect the current control environment. \xc2\xa0\n                    \xef\x82\xb7\t       FY 2006\xe2\x80\x9303: The status of corrective actions is unclear as VA did\n                             not describe the percentage of position descriptions that were updated\n                             in response to the recommendation. \xc2\xa0\n                    \xef\x82\xb7\t       FY 2006\xe2\x80\x9304: The status of corrective actions is unclear as VA did\n                             not describe the percentage of work completed to ensure that\n                             appropriate levels of background investigations are conducted for all\n                             VA employees and contractors. \xc2\xa0\n                    \xef\x82\xb7\t       FY 2006\xe2\x80\x9308: The status of corrective actions is unclear as VA did\n                             not describe the percentage of work completed to mitigate wireless\n                             security vulnerabilities and implement standard network\n                             configurations. \xc2\xa0\n                    \xef\x82\xb7\t       FY 2006\xe2\x80\x9309: The status of corrective actions is unclear as VA did\n                             not describe the percentage of work completed to eliminate or\n                             mitigate the use of clear text protocols across the enterprise. \xc2\xa0\n\n                    We will not close any recommendations until relevant information security\n                    policies and procedures are finalized and information security control\n                    deficiencies are fully remediated. We will continue to evaluate VA\xe2\x80\x99s\n                    progress during our audit of VA\xe2\x80\x99s information security program in FY 2014.\n\n                         \xc2\xa0\n\n\n\n\nVA Office of Inspector General                                                                   21\n\x0c                                      VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nAppendix A           Status of Prior-Year Recommendations\n\n                     Appendix A addresses the status of outstanding recommendations not\n                     included in the main report and VA\xe2\x80\x99s plans for corrective action. As\n                     noted in the table below, some recommendations remain in progress,\n                     with estimated completion dates still to be determined. The corrective\n                     actions outlined below are based on management assertions and results\n                     of our audit testing.\n\n                              Table. Status of Prior Year Recommendations\n                                                                 Status\n                                                                             Estimated        Corrective\n  Number                 Recommendation                       (In Progress\n                                                                             Completion        Actions\n                                                               or Closed)\n FY 2010\xe2\x80\x9321    We recommend the Assistant Secretary           In Progress    To Be        VA is establishing a\n               for Information and Technology develop                        Determined   Risk Management\n               mechanisms to ensure risk assessments                                      Governance Board,\n               accurately reflect the current control                                     which will implement\n               environment, compensating controls, and                                    uniform risk\n               the characteristics of the relevant VA                                     assessment\n               facilities.                                                                procedures\n                                                                                          throughout VA.\n               OIG comments: The status of\n               corrective actions is unclear as VA did                                    Risk assessment\n               not provide an adequate response to the                                    exceptions continued\n               open recommendation. The response                                          to be identified\n               needs to describe the actions taken to                                     during FISMA\n               ensure risk assessments accurately reflect                                 testing.\n               the current control environment.\n\n FY 2006\xe2\x80\x9303    We recommend the Assistant Secretary           In Progress    To Be        VA Directive and\n               for Information and Technology update                         Determined   Handbook 0710,\n               all applicable position descriptions to                                    Personnel Suitability\n               better describe position sensitivity levels,                               and Security\n               and improve documentation of                                               Program documents\n               employee/contractor personnel records                                      have been updated.\n               of \xe2\x80\x9cRules of Behavior\xe2\x80\x9d and annual\n               privacy training certifications.                                           VA developed action\n                                                                                          items to better\n               OIG comments: The status of                                                coordinate reviews of\n               corrective actions is unclear as VA did                                    existing position\n               not provide an adequate response for the                                   descriptions, position\n               open recommendation. The response                                          risk and sensitivity\n               needs to describe the percentage of                                        determinations, and\n               position descriptions updated through FY                                   current levels of\n               2013.                                                                      employee background\n                                                                                          investigations.\n\n\n\n\nVA Office of Inspector General                                                                         22\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                                                             Status\n                                                                         Estimated         Corrective\n  Number                Recommendation                    (In Progress\n                                                                         Completion         Actions\n                                                           or Closed)\n FY 2006\xe2\x80\x9304    We recommend the Assistant Secretary       In Progress    To Be         VA established the\n               for Information and Technology ensure                     Determined    Security Investigation\n               appropriate levels of background                                        Center to ensure\n               investigations be completed for all                                     background\n               applicable VA employees and                                             investigations are\n               contractors in a timely manner,                                         conducted.\n               implement processes to monitor and\n               ensure timely reinvestigations on all                                   The Office of\n               applicable employees and contractors,                                   Operations, Security,\n               and monitor the status of the requested                                 and Preparedness is\n               investigations.                                                         coordinating actions\n                                                                                       to improve\n               OIG comments: The status of                                             procedures for\n               corrective actions is unclear as VA did                                 ensuring background\n               not provide an adequate response to the                                 investigations and\n               open recommendation. The response                                       reinvestigations are\n               needs to describe the percentage of work                                completed for all\n               completed to ensure that appropriate                                    applicable VA\n               levels of background investigations are                                 employees and\n               conducted for all VA employees and                                      contractors in a\n               contractors.                                                            timely manner.\n\n                                                                                       Exceptions related to\n                                                                                       timely background\n                                                                                       investigations\n                                                                                       continued to be\n                                                                                       identified during\n                                                                                       FY 2013 FISMA\n                                                                                       testing.\n\n\n\n\nVA Office of Inspector General                                                                      23\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                                                             Status\n                                                                         Estimated         Corrective\n  Number                Recommendation                    (In Progress\n                                                                         Completion         Actions\n                                                           or Closed)\n FY 2006\xe2\x80\x9308    We recommend the Assistant Secretary       In Progress    To Be         VA developed\n               for Information and Technology reduce                     Determined    Directive 6512,\n               wireless security vulnerabilities by                                    Secure Wireless\n               ensuring sites have up-to-date                                          Technology, to\n               mechanisms to protect against                                           supplement VA\n               interception of wireless signals and                                    Handbook 6500. The\n               unauthorized access to the network, and                                 Directive provides\n               ensure the wireless network is segmented                                guidelines for\n               from the general network.                                               protecting VA\n                                                                                       wireless networks\n               OIG comments: The status of                                             from signal\n               corrective actions is unclear as VA did                                 interception,\n               not provide an adequate response to the                                 enhancing network\n               open recommendation. The response                                       security, and\n               needs to describe the percentage of work                                segmenting VA\xe2\x80\x99s\n               completed to mitigate wireless security                                 wireless network\n               vulnerabilities and implement standard                                  from the wired\n               network configurations.                                                 network.\n\n                                                                                       VA has begun\n                                                                                       replacing the legacy\n                                                                                       wireless networks\n                                                                                       with more robust and\n                                                                                       secure wireless\n                                                                                       networks, and\n                                                                                       defining strict\n                                                                                       configuration\n                                                                                       guidelines and\n                                                                                       implementation\n                                                                                       plans.\n\n                                                                                       VA established the\n                                                                                       National Wireless\n                                                                                       Infrastructure Team\n                                                                                       to ensure all\n                                                                                       authorized VA\n                                                                                       wireless access points\n                                                                                       use a standard\n                                                                                       wireless network\n                                                                                       configuration.\n\n                                                                                       Potential rogue\n                                                                                       access points\n                                                                                       continued to be\n                                                                                       identified during\n                                                                                       FY 2013 FISMA\n                                                                                       testing.\n\n\n\n\nVA Office of Inspector General                                                                      24\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                                                              Status\n                                                                          Estimated        Corrective\n  Number                Recommendation                     (In Progress\n                                                                          Completion        Actions\n                                                            or Closed)\n FY 2006\xe2\x80\x9309    We recommend the Assistant Secretary        In Progress    To Be        VA is developing and\n               for Information and Technology identify                    Determined   integrating multiple\n               and deploy solutions to encrypt sensitive                               technologies across\n               data and resolve clear text protocol                                    the enterprise to\n               vulnerabilities.                                                        encrypt sensitive\n                                                                                       data, both at rest and\n               OIG comments: The status of                                             in transit. The\n               corrective actions is unclear as VA did                                 technologies include:\n               not provide an adequate response to the\n               open recommendation. The response                                       \xe2\x80\xa2 Deploy Sanctuary\n               needs to describe the percentage of work                                  across the\n               completed to eliminate or mitigate the                                    enterprise to ensure\n               use of clear text protocols across the                                    only authorized,\n               enterprise.                                                               encrypted,\n                                                                                         Universal Serial\n                                                                                         Bus devices are in\n                                                                                         use.\n\n                                                                                       \xe2\x80\xa2 Deploy laptop and\n                                                                                         desktop encryption.\n\n                                                                                       \xe2\x80\xa2 Deploy Data\n                                                                                         Transmission/\n                                                                                         Attachmate to\n                                                                                         safely host\n                                                                                         information on the\n                                                                                         Web.\n\n                                                                                       VA\xe2\x80\x99s \xe2\x80\x9cVisibility to\n                                                                                       Everything\xe2\x80\x9d (Server\n                                                                                       and Desktop)\n                                                                                       program verifies\n                                                                                       deployment of the\n                                                                                       above technologies\n                                                                                       and allows VA to\n                                                                                       remediate identified\n                                                                                       deficiencies.\n\n                                                                                       Clear text protocol\n                                                                                       vulnerabilities\n                                                                                       continued to be\n                                                                                       identified during our\n                                                                                       FY 2013 FISMA\n                                                                                       testing.\n\n\n\n\nVA Office of Inspector General                                                                       25\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nAppendix B          Background\n\n                    On December 17, 2002, then-President George W. Bush signed FISMA\n                    into law, reauthorizing key sections of the Government Information Security\n                    Reform Act. FISMA provides a comprehensive framework for ensuring\n                    effective security controls over information resources supporting Federal\n                    operations and assets. The statute also provides a mechanism for improved\n                    oversight of Federal agency information security programs.\n\n                    FISMA requires each Federal agency to develop, document, and\n                    implement an agency-wide security program. VA\xe2\x80\x99s security program\n                    should protect the information systems that support operations, including\n                    those provided or managed by another agency, contractor, or other source.\n                    As specified in FISMA, agency heads are responsible for conducting\n                    annual evaluations of information security programs and practices.\n\n                    FISMA also requires agency Inspectors General to assess the effectiveness\n                    of agency information security programs and practices. Guidance has been\n                    issued by OMB in both circulars and memoranda and by NIST in its\n                    800 series of special publications supporting FISMA implementation\n                    covering significant aspects of the law. In addition, Federal Information\n                    Processing Standards have been issued to establish agency baseline\n                    security requirements.\n\n                    OMB and DHS provide instructions to Federal agencies and Inspectors\n                    General for preparing annual FISMA reports. In November 2013, OMB\n                    issued Memorandum M-14-04, Fiscal Year 2013 Reporting Instructions\n                    for the Federal Information Security Management Act and Agency Privacy\n                    Management. Federal agencies are to focus on implementing the\n                    Administration\xe2\x80\x99s three cybersecurity priorities established in FY 2012:\n                    (1) Continuous Monitoring, (2) Trusted Internet Connection capabilities\n                    and traffic consolidation, and (3) strong authentication using Personal\n                    Identity Verification cards for logical access. The FY 2013 FISMA\n                    metrics issued by DHS established minimum and target levels of\n                    performance for these priorities, as well as metrics for other key\n                    performance areas. To comply with the reporting requirements, agencies\n                    must carry out the following activities:\n\n                    \xef\x82\xb7\t      Chief Information Officers should submit monthly data feeds\n                            through CyberScope, the FISMA reporting application. Agencies\n                            must upload data from their automated security management tools\n                            into CyberScope on a monthly basis for a specified number of data\n                            elements.\n                    \xef\x82\xb7\t      Agencies must respond to security posture questions on a\n                            quarterly/annual basis. These questions address areas of risk and\n\n\n\nVA Office of Inspector General                                                                  26\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                            are designed to assess the implementation of security capabilities\n                            and measure their effectiveness.\n                    \xef\x82\xb7\t      The Chief Information Officers must report to DHS on a quarterly\n                            basis, and Inspectors General and Senior Agency Officials for\n                            Privacy must report to DHS on an annual basis.\n                    \xef\x82\xb7\t      Agencies must participate in CyberStat accountability sessions and\n                            agency interviews conducted by DHS, OMB, and the White House\n                            National Security Staff.\n\n                    DHS reporting instructions also focus on performance metrics related to\n                    key control activities, such as developing a complete inventory of major\n                    information systems, providing security training to personnel, testing and\n                    evaluating security controls, and testing continuity plans.\n\n                    The OIG contracted with the independent accounting firm\n                    CliftonLarsonAllen LLP to conduct the annual FISMA audit for FY 2013.\n                    The OIG provided oversight of the contractor\xe2\x80\x99s performance.\n\n\n\n\nVA Office of Inspector General                                                                  27\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nAppendix C \t Scope and Methodology\n\n                    The FISMA audit determines the extent to which VA\xe2\x80\x99s information\n                    security program complies with FISMA requirements and relevant\n                    guidelines. The audit team considered Federal Information Processing\n                    Standards and NIST guidance during its audit. Audit procedures\n                    included reviewing policies and procedures, interviewing employees,\n                    reviewing and analyzing records, and reviewing supporting\n                    documentation. The VA OIG provided oversight of the audit teams\xe2\x80\x99\n                    performance.\n\n                    This year\xe2\x80\x99s work included evaluation of 79 selected major applications\n                    and general support systems hosted at 24 VA facilities to support\n                    Veterans Health Administration, Veterans Benefit Administration, and\n                    National Cemetery Administration lines of business. The audit teams\n                    performed vulnerability tests and evaluated management, operational,\n                    technical, and application controls supporting major applications and\n                    general support systems.\n\n                    In connection with the audit of VA\xe2\x80\x99s FY 2013 consolidated financial\n                    statements, CliftonLarsonAllen LLP evaluated general computer and\n                    application controls of VA\xe2\x80\x99s major financial management systems,\n                    following the Government Accountability Office\xe2\x80\x99s Federal Information\n                    System Controls Audit Manual methodology. Significant financial\n                    systems deficiencies identified during CliftonLarsonAllen\xe2\x80\x99s evaluation\n                    are included in this report.\n\nSite Selections \t   In selecting VA facilities for testing, the audit teams considered the\n                    geographic region, size, and complexity of each hosting facility, as well as\n                    the criticality of systems hosted at the facility. Sites selected for testing\n                    included:\n\n                    \xef\x82\xb7   Information Technology Center\xe2\x80\x94Austin, TX\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94 Cincinnati, OH\n                    \xef\x82\xb7   Terremark, Cloud Service Provider\xe2\x80\x94Culpepper, VA\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Hampton Roads, VA\n                    \xef\x82\xb7   Information Technology Center\xe2\x80\x94Hines, IL\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Kansas City, MO\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Little Rock, AK\n                    \xef\x82\xb7   VA Regional Office\xe2\x80\x94Little Rock, AK\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Manchester, NH\n                    \xef\x82\xb7   Network and Security Operations Center\xe2\x80\x94Martinsburg, WV\n\n\nVA Office of Inspector General                                                                  28\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                    \xef\x82\xb7   Capitol Regional Readiness Center\xe2\x80\x94Martinsburg, WV\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94 Miami, FL\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94New Orleans, LA\n                    \xef\x82\xb7   VA Regional Office\xe2\x80\x94New Orleans, LA\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Oklahoma City, OK\n                    \xef\x82\xb7   Information Technology Center\xe2\x80\x94Philadelphia, PA\n                    \xef\x82\xb7   VA Insurance Center\xe2\x80\x94Philadelphia, PA\n                    \xef\x82\xb7   VA Regional Office\xe2\x80\x94Philadelphia, PA\n                    \xef\x82\xb7   Loan Guaranty Contractor Managed Facility\xe2\x80\x94Plano, TX\n                    \xef\x82\xb7   National Cemetery Administration\xe2\x80\x94Quantico, VA\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Reno, NV\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94 San Antonio, TX\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94 San Francisco, CA\n                    \xef\x82\xb7   VA Central Office\xe2\x80\x94Washington, DC\n\n                    Vulnerability audit procedures used automated scanning tools and validation\n                    procedures to identify high-risk common security vulnerabilities affecting\n                    mission-critical systems. In addition, vulnerability tests evaluated selected\n                    servers and work stations residing on the network infrastructure; databases\n                    hosting major applications; Web application servers providing Internet and\n                    Intranet services; and network devices, including wireless connections.\n\nGovernment          We conducted this performance audit in accordance with generally\nStandards           accepted government auditing standards. Those standards require that we\n                    plan and perform the audit to obtain sufficient, appropriate evidence to\n                    provide a reasonable basis for our findings and conclusions based on our\n                    audit objectives. We believe that the evidence obtained provides a\n                    reasonable basis for our findings and conclusions based on our audit\n                    objectives.\n\n\n\n\nVA Office of Inspector General                                                                  29\n\x0c                                     VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nAppendix D           Executive in Charge for Information and Technology\n                     Comments\n\n\n\n                Department of                                   Memorandum\n                Veterans Affairs\n\n           Date:\t   April 18, 2014\n\n           From:\t   Executive in Charge and Chief Information Officer, Office of Information and\n                    Technology (005)\n\n           Subj:\t   Draft Audit Report: Federal Information Security Management Act (FISMA)\n                    Assessment for FY 2013\n\n             To:    Assistant Inspector General for Audits and Evaluations (52CT)\n\n\n\n                    Thank you for the opportunity to review the subject draft audit report. The Office\n                    of Information and Technology concurs and submits the attached detailed\n                    comments and a partial set of artifacts to the report\xe2\x80\x99s 30 recommendations.\n\n\n                    Remaining artifacts will be provided under separate cover. We appreciate your\n                    time and attention to our information security program. If you have any\n                    questions, contact me at 202-461-6910, or have a member of your staff contact\n                    Martha Orr, Executive Director for Quality, Performance and Oversight, at\n                    202-461-6910.\n\n\n\n\n                    Attachment\n\n\n\n\nVA Office of Inspector General                                                                           30\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n                                                                                                 Attachment\n\n                               Office of Information and Technology \n\n                                  Comments to Draft OIG Report,\n\n                 \xe2\x80\x9cFederal Information Security Management Act Audit for FY 2013\xe2\x80\x9d \n\n                            OIG Recommendations and OIT Responses: \n\n\nRecommendation 1: We recommend the Executive in Charge for Information and Technology fully\ndevelop and implement an agency-wide risk management governance structure, along with mechanisms\nto identify, monitor, and manage risks across the enterprise. (This is a repeat recommendation from last\nyear.)\n\nOIT Response: Concur. The Office of Information and Technology (OI&T) has implemented the\nGovernance, Risk and Compliance (GRC) tool as a major element of implementing an agency-wide risk\nmanagement governance structure. The GRC tool is VA\xe2\x80\x99s robust repository capable of tracking the\nreal-time security posture of the VA\xe2\x80\x99s IT systems The tool is used in concert with existing IT monitoring\nand tracking tools, such as IBM End-Point Manager (IEM), SolarWinds, NESSUS, to extract, in real-time,\nup to 54 NIST controls, while capturing the remaining controls via automated workflows. The Risk Vision\nGRC tool automatically ties risk assessments to POA&Ms and system security plans, resulting. In a more\ncomprehensive understanding of VA\xe2\x80\x99s security posture, far exceeding any past capabilities. The workflow\nprocess of entering information into the GRC tool ensures that only the most current risk information is\nretained. This is also true of the System Security Plan and FIPS assessments. The CIO has greater\nvisibility/oversight with the Risk Vision database for Authority to Operate (ATO) decisions.\n\nOI&T maintains a mature Enterprise Risk Management (ERM) organization that proactively manages\nrisks that are applicable to the OIT enterprise. Within ERM, the Risk Assessment and Mitigation (RAM)\noffice has an IT Security and Compliance Risk Division that is focused on the assessment and mitigation\nof information security risks that meet the organization's definition of enterprise-level risk. The Office of\nInformation Security (OIS) also has a Risk Management office that addresses information security risks\nthat do not rise to the level of OIT enterprise risks. This past year, the Continuous Readiness and\nInformation Security Protection (CRISP) Governance Council was chartered and implemented. This\nGovernance Council, comprised of membership from all Department stakeholders such as VHA, VBA\nand NCA, is fully sanctioned by VA leadership to ensure all VA organizations are responsive to initiatives\nand actions necessary to maintain heightened awareness of information security and protection and to\nidentify, monitor and manage risk across the enterprise.\n\nCompleted: Recommend Closure\n\nRecommendation 2: We recommend the Executive in Charge for Information and Technology\nimplement mechanisms to ensure sufficient supporting documentation is captured in the central database\nto justify closure of Plans of Action and Milestones. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. The GRC tool, implemented at the end of FY 2013, monitors the real-time\nsecurity posture of the VA\xe2\x80\x99s IT systems, and is the mechanism used to track active Plans of Action and\nMilestones (POA&M). VA transitioned active POA&M\xe2\x80\x99s from the SMART system to the GRC Risk Vision\ntool, leaving completed POA&M\xe2\x80\x99s in the SMART for historical purposes. The GRC tool is the sole\nrepository for all supporting artifacts to document POA&M process and maintains documentation to justify\nclosure of POA&M\xe2\x80\x99s. Additionally, mechanisms, such as compliance reviews by OCS staff, annual\nself-assessments by facility staff, and control implementation validation by Information Security Officers\n(ISO) are currently in place to randomly check POA&M documentation\n\nComplete \xe2\x80\x93 Recommend Closure\n\n\n\n\nVA Office of Inspector General                                                                            31\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nRecommendation 3: We recommend the Executive in Charge for Information and Technology define\nand implement clear roles and responsibilities for developing, maintaining, completing, and reporting\nPlans of Action and Milestones. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. Clearly defined roles and responsibilities for developing, maintaining, completing\nand reporting POA&Ms are found in VA Handbook 6500 and VA Handbook 6500.3. VA Handbook 6500\nincludes, in section four, \xe2\x80\x9cInformation Security Responsibilities,\xe2\x80\x9d the responsibilities regarding POA&Ms\nfor the Deputy CIO for SDE/System Owners, Executive Director for Quality, Performance and Oversight,\nUnder Secretaries, Assistant Secretaries, and Other Key Officials, Program Directors/Facility Directors,\nISOs, Local Program Management, Local CIOs/System Administrators/Network Administrators/Database\nManagers, CO/COR, and Local HR Staff/Security and Law Enforcement Staff. POA&M responsibilities\nare also addressed in VA Handbook 6500, Appendix F under controls CA-5: Plan of Action and\nMilestones and PM-4: Plan of Action and Milestones.\n\nVA Handbook 6500.3 includes, in section three, \xe2\x80\x9cResponsibilities,\xe2\x80\x9d the roles and responsibilities\nregarding POA&Ms for the VA CIO, DAS OIS, System Owners, Project Managers, Information/Data\nOwners, Local CIOs/System Administrators/Network Administrators, and ISOs. Appendix E describes the\nprocess for developing the POA&M in the Authorization process. The GRC Risk Vision tool, implemented\nin August 2013, is actively used to provide an automated method for assigning POA&M management\nroles and responsibilities to system owners, information security officers, administrators, and mangers.\n\nComplete \xe2\x80\x93 Recommend Closure\n\nRecommendation 4: We recommend the Executive in Charge for Information and Technology\nimplement mechanisms to ensure Plans of Action and Milestones are updated to accurately reflect\ncurrent status information. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. The GRC tool, implemented in August 2013, establishes mechanisms to ensure\nPOA&M\xe2\x80\x99s are updated with currently status information. These mechanisms are inherent in the work flow\nof the tool and provide the necessary checks and balances to ensure information can be entered\naccurately. Integral to the specially designed workflows of RiskVision is a two-step validation\nprocess. The information security control provider is required to provide evidence of the control\nimplementation status. The assigned Information Security Officer (ISO) is required to validate the\nimplementation status. If found deficient, the ISO generates a finding. Additionally, with the IBM\nEndpoint Manager (IEM) feeds being collected by RiskVision, automated compliance checks are reported\nwithout requiring user intervention. This allows VA to determine the compliance of a device that is part of\nan accreditation boundary. This tool is the sole repository of all active POA&M\xe2\x80\x99s and is actively used to\nmanage the POA&M process.\n\nCompleted \xe2\x80\x93 Recommend Closure\n\nRecommendation 5: We recommend the Executive in Charge for Information and Technology develop\nmechanisms to ensure system security plans reflect current operational environments, including accurate\nsystem interconnection and ownership information. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. In concert with the implementation of the GRC tool in August 2013, the\naccreditation boundaries for all VA systems were evaluated, reassessed and restructured. This ensured\nthat the system security plans inherent in the GRC tool reflected the current operational environments\nand that system interconnections were assessed for accuracy. The GRC tool also captures current\nsystem ownership and can be easily updated. The GRC tool is the sole repository for the system security\nplans ensuring proper oversight of status updates. Additionally, the requirement to have accurate,\ncomprehensive and up-to-date system security plans is required by VA policy, as discussed in VA\nHandbook 6500.\n\nComplete \xe2\x80\x93 Recommend Closure\n\n\n\nVA Office of Inspector General                                                                          32\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nRecommendation 6: We recommend the Executive in Charge for Information and Technology\nimplement improved processes for updating key security documents such as risk assessments, security\nimpact analyses, and security self-assessments on at least an annual basis and ensure all required\ninformation accurately reflects the current environment and new risks in accordance with Federal\nstandards. (This is a new recommendation.)\n\nOIT Response: Concur. With the implementation of the GRC tool in August 2013, a new, improved\nprocess was developed and established for all IT system risk assessments. Based on actual findings,\nwhich flows through the automated system, we are now continuously monitoring and managing risk\nassessments, giving us the ability to compare and contrast data, leading to improved security impact\nanalyses. We are also able to proactively introduce process and policy changes, based upon analysis of\ninformation discovered in the security assessment phase. The automated manner in which this is now\nmanaged has greatly improved the process used for updating all security documents, updates are\naccomplished throughout the year, and analysis of the data ensure remediation activities are appropriate\nto the current environment.\n\nComplete \xe2\x80\x93 Recommend Closure\n\nRecommendation 7: We recommend the Executive in Charge for Information and Technology\nimplement mechanisms to enforce VA password policies and standards on all operating systems,\ndatabases, applications, and network devices. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. VA implemented a process last year for monitoring password policies via\npredictive scans and remediation processes on OIT systems. Routine system scans are completed by\nthe Network Security and Operations Center (NSOC) and Standard Operating Procedures (SOP) are in\nplace to ensure a structured, repeatable process. OIT continues to update information system user and\nsystem account management policy guidance and processes that will emphasize requirements for\nsystem owners, systems administrators, and security staffs to regularly review the account privileges and\naccess levels for all system users on at least an annual basis. This review will be re-emphasized as an\nitem that must be covered during the annual testing of application security controls.\n\nComplete \xe2\x80\x93 Recommend Closure\n\nRecommendation 8: We recommend the Executive in Charge for Information and Technology\nimplement periodic access reviews to minimize access by system users with incompatible roles,\npermissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur. As part of the OIT Security Calendar process used to track and manage\nrecurring security status updates, the Department has implemented reviews of elevated privileges every\n90 days and application level access twice a year to ensure the users have minimum system access\nnecessary based on their role. At each facility, the local Information Security Officer (ISO) and the Chief\nInformation Officer (CIO) work together to identify issues and concerns with staff elevated privileges and,\nwhen necessary, engage the supervisor for final determination and resolution. This on-going review\nprocess serves to minimize the number of system users with incompatible roles and permissions in\nexcess of required functional responsibilities. Additionally, a comprehensive review of separated users\nfrom VA occurs every 90 days. Also part of the OIT Security Calendar process, this review ensures that\nstaff, contractors and volunteers no longer with VA have access privileges removed from e-mail,\nadministrator rights and other VA systems. Please see attached artifacts.\n\nCompleted \xe2\x80\x93 Recommend Closure\n\nRecommendation 9: We recommend the Executive in Charge for Information and Technology enable\nsystem audit logs and conduct centralized reviews of security violations on mission-critical systems. (This\nis a repeat recommendation from last year.)\n\n\n\nVA Office of Inspector General                                                                          33\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nOIT Response: Concur. Implementation is currently unfunded in terms of storage and staffing within the\nmedical center/field operation environment. These tools have been implemented in our Data Center and\nby our Network and Security Operations Center. Early installation of the devices for our field locations is\ncontingent on funding in FY 2014. If we are unsuccessful in obtaining FY 2014 funding, this requirement\nwill be incorporated in the FY 2015 budget operating plan.\n\nTarget Completion Date: September 30, 2015 (contingent upon receipt of funds)\n\nRecommendation 10: We recommend the Executive in Charge for Information and Technology\nimplement mechanisms to ensure all remote access computers have updated security patches and\nantivirus definitions prior to connecting to VA information systems. (This is a repeat recommendation from\nlast year.)\n\nOIT Response: Concur. Except for a limited number of VHA clinical users, mechanisms have been\nimplemented to ensure all remote access computers have updated security patches and antivirus. OI&T\nis working with VHA to verify key performance criteria for the critical work flows. That analysis will be\ncompleted by the end of this fiscal year, followed by implementation.\n\nTarget Completion Date: April 30, 2015\n\nRecommendation 11: We recommend the Executive in Charge for Information and Technology\nimplement two-factor authentication for remote access throughout the agency. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur. Due to the possibility of patient safety issues associated with implementation\nof the PIV card, implementation for this recommendation within VHA is on hold until care delivery work\nprocess have been developed that accommodate the use of PIV cards by VHA. Implementation\ncontinues throughout the rest of the Department.\n\nTarget Completion Date: To Be Determined \xe2\x80\x93 Dependent on implementation of new work processes by\nVHA\n\nOIG comments: The status of corrective actions is unclear as VA did not provide a concrete corrective\naction plan or clear target completion date.\n\nRecommendation 12: We recommend the Executive in Charge for Information and Technology develop\nand implement policies and procedures for restricting privileged remote access from foreign countries\nthat may pose a significant security risk to VA systems. (This is a new recommendation.)\n\nOIT Response: Concur. The DAS for OIS signed a memo (attached) on January 15, 2014 prohibiting\naccess to VA\xe2\x80\x99s network from non-NATO countries, with the exception of countries where VA has\napproved operations established (e.g., Philippines, South Korea). This requirement has been formalized\nin the current draft version of VA Handbook 6500, which will be published by the end of fiscal year 2014.\nAdditionally, OIS has begun blocking Top Level Domains for country codes and IP addresses for those\ncountries noted above.\n\nCompleted - Recommend Closure\n\nRecommendation 13: We recommend the Executive in Charge for Information and Technology\nimplement effective automated mechanisms to continuously identify and remediate security deficiencies\non VA\xe2\x80\x99s network infrastructure, database platforms, and Web application servers. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur. VA has implemented an enterprise-wide vulnerability management program\nthat makes use of a number of scanning tools to identify security deficiencies. The outputs from the\n\n\n\nVA Office of Inspector General                                                                          34\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nscanning tools are then broken out and delivered to each data center/region/site. Those sites then\nannotate those scans with status of the required action, either through remediation, mitigation or\nissuance of risk based decisions. Priority attention is placed on installing the required patches to\nremediate the identified deficiencies. Automated monitoring and assessment tools have also been\ndeployed in the VA enterprise to every laptop, desktop, servers and network device. VA will continue to\nenhance the vulnerability management program by making use of the security and information event\nmanagement (SIEM) technology, which currently is in place at the Enterprise Operations (EO) data\ncenters. The SIEM solution will collect audit logs and alerts and facilitate the continuous identification of\nvulnerabilities that require priority corrective actions. The next steps in the expanded implementation of\nSIEM have been defined as consisting of three phases: EO Data Centers (complete), Gateways and\nNetwork Backbone and the NSOC (concurrently schedule to be awarded by 30 April 2014) and Regional\nData Centers Systems (currently in planning to identify requirements and funding levels).\n\nTarget Completion Date \xe2\x80\x93 Phase Two (September 30, 2014)/Phase Three (September 30. 2015).\n\nRecommendation 14: We recommend the Executive in Charge for Information and Technology\nimplement a patch and vulnerability management program to address security deficiencies identified\nduring our assessments of VA\xe2\x80\x99s Web applications, database platforms, network infrastructure, and work\nstations. (This is a modified repeat recommendation from last year.)\n\nOIT Response: Concur. In February 2013, VA implemented predictive scanning and has continued to\nbuild on and improve the patch and vulnerability program to ensure security deficiencies are proactively\naddressed.      This scanning allows for the identification of vulnerabilities, remediation of those\nvulnerabilities and compliance monitoring. Monthly predictive scans are tested and remediated, security\ndeficiencies identified and monitored during our assessments of VA\xe2\x80\x99s Web applications, database\nplatforms, network infrastructure, and work stations. We received monthly downloads from our vendors,\nwhich are also rigorously tested and monitored to ensure all security deficiencies are identified and\nremediated. Within Enterprise Operations, a consistent program for identifying and remediating\nvulnerabilities has been in place for several years.\n\nCompleted \xe2\x80\x93 Recommend Closure\n\nRecommendation 15: We recommend the Executive in Charge for Information and Technology\nimplement standard security configuration baselines for all VA operating systems, databases,\napplications, and network devices. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. Baselines have been created covering the vast majority of systems in the VA\nEnterprise. Over 95% of the servers in the Department are covered by existing operating system\nbaselines, including all those hosting VA\xe2\x80\x99s VistA healthcare application, and virtually 100% of desktops.\nExisting baselines also cover over 85% of the internetworking devices for VA. Work continues on\nbaselines for printers, thin clients, and SQL databases, including a plan to begin implementation in\nFY2014\n\nTarget Completion Date \xe2\x80\x93 December 31, 2015\n\nRecommendation 16: We recommend the Executive in Charge for Information and Technology\nimplement procedures to enforce a system development and change control framework that integrates\ninformation security throughout the life cycle of each system. (This is a repeat recommendation from last\nyear.)\n\nOIT Response: Concur.         In 2009 OIT Product Development (PD) and OIT Service Delivery and\nEngineering (SDE) jointly implemented change and configuration management governance over software\nand system controls and issued VA policy and procedures. PD implemented Change and Configuration\nManagement Plans (ChM/CfM) and tools for all software projects to formalize standardized software and\nartifact change management controls. PD implemented tools to be standardized to manage source code\n\n\n\nVA Office of Inspector General                                                                            35\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nand document change and version control. PD includes configuration managers as a necessary project\nteam member when activating new software development projects. PD implemented change control\nboards at the program level to oversee requirements for change. PD implemented standardized\nrequirements management and software testing tools to enable requirements traceability capabilities and\nrequirement change \xe2\x80\x93 design change \xe2\x80\x93 test case change traceability is documented. PD is working with\nthe Office of Information Security to implement security vulnerability testing tools to be used prior to\nsoftware release to test specifically for security requirements compliance. PD implemented Integrated\nProject Teams to determine compliance and readiness acceptance with internal customer requirements.\nPD includes compliance with security and configuration management processes in milestone review\ncriteria.\n\nTarget Completion Date: September 30, 2015\n\nRecommendation 17: We recommend the Executive in Charge for Information and Technology\nimplement processes to ensure information system contingency plans are updated with the required\ninformation and lessons learned are communicated to senior management. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur.        OIT has published VA handbook 6500 and VA Handbook 6500.8 which\nprovides the guidance for contingency plans specified by the National Institute of Standards and\nTechnology (NIST). The guidance includes the standardized processes and templates for contingency\nplans. The Office of Business Continuity within OIS monitors and reports the compliance status of VA\nsystems with the guidance. These compliance reports will be forwarded to the executive level to ensure\nproper follow-up. All offices with systems not in compliance with the guidance will need to apply\nresources to update their contingency plans, and test them. OIS Office of Business Continuity will work\nwith all non-compliant systems to provide support and assistance. Projected completion date for all non-\ncompliant VA system contingency plans to be brought into compliance is March 31, 2015\n\nTarget Completion Date: March 31, 2015\n\n\nRecommendation 18: We recommend the Executive in Charge for Information and Technology develop\nand implement a process for ensuring the encryption of backup data prior to transferring the data offsite.\n(This is a new recommendation.)\n\nOIT Response: Concur. In response to this need, VA has identified high level requirements for an\nEnterprise level Tape Backup Encryption solution, and programmed funding. We have assigned a\nProgram team lead, and have begun the discovery process for requirements of an enterprise wide\nsolution to address this issue. To address the defect and mitigate risk in the near term, a full review was\nconducted on the risk and a Risk Based Decision (RBD) was implemented. This national RBD identifies\nmitigating controls to compensate the lack of backup tape encryption and is further documented in local\nsecurity documentation for systems that do not support backup tape encryption, at present.\n\nTarget Completion Date \xe2\x80\x93 High level program plan \xe2\x80\x93 October 31, 2014, completion for remaining tasks to\nbe determined once the high level program plan is completed.\n\nOIG comments: The status of corrective actions is unclear as VA did not provide a clear target\ncompletion date for subordinate tasks.\n\nRecommendation 19: We recommend the Executive in Charge for Information and Technology ensure\nthat agreements for alternate processing sites have been established that define the roles and\nresponsibilities for alternate locations in the event of a disaster. (This is a new recommendation.)\n\nOIT Response: Concur. Region level alternate processing site agreements and MOU\xe2\x80\x99s have been\ndeveloped that define the roles and responsibilities for alternate locations in the event of a disaster.\nThese agreements have been provided to the field CIO\xe2\x80\x99s and were implemented.\n\n\nVA Office of Inspector General                                                                          36\n\x0c                                   VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\n\nComplete \xe2\x80\x93 Recommend Closure\n\nRecommendation 20: We recommend the Executive in Charge for Information and Technology review\nchange management procedures to ensure that any changes to system procedures are appropriately\ntested, validated, documented and approved. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. OI&T will review change management procedures to ensure that any changes\nto system procedures are appropriately tested, validated, documented and approved.\n\nTarget Completion date \xe2\x80\x93 December 31, 2014\n\nRecommendation 21: We recommend the Executive in Charge for Information and Technology fully\nimplement an automated 24-hour security event and incident correlation solution to monitor security for\nall systems interconnections, database security events, and mission-critical platforms supporting VA\nprograms and operations. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. Security Information & Event Management (SIEM) Procurement by the NSOC\nis scheduled for FY14. Progress was delayed since our Request for Proposal (RFP) did not yield\nqualified vendors and we have had to repeat the RFP process.\n\nTarget Completion Date: December 31, 2014\n\nRecommendation 22: We recommend the Executive in Charge for Information and Technology identify\nall external network interconnections and ensure appropriate Interconnection Security Agreements and\nMemoranda of Understanding are in place to govern them. (This is a repeat recommendation from last\nyear.)\n\nOIT Response: Concur. All Memoranda of Understanding (MOU) and Interconnection Security\nAgreements (ISA) for known external network connections have been reviewed (as part of OIT\xe2\x80\x99s annual\nreview) and updated to reflect operational environments. This review process is now part of an annual\ncycle. OIT has documented these known connections and has also published guidance on this subject.\n\nComplete \xe2\x80\x93 Recommend Closure\n\nRecommendation 23: We recommend the Executive in Charge for Information and Technology\nimplement more effective agency-wide incident response procedures to ensure timely resolution of\ncomputer security incidents in accordance with VA set standards. (This is a repeat recommendation from\nlast year.)\n\nOIT Response: Concur. In March 2014, the VA Network Security Operations Center (VA-NSOC)\ninitiated an Incident Response (IR) Working Group to review current cyber security incident response\npolicies, procedures and performance measures. The working group will be providing recommendations\non improvements to our cyber security IR capability. One product from this group was an Executive\nDecision Memo (dated 26 March 2014) mandating field personnel to adhere to the VA-NSOC timelines\n(e.g. immediately for confirmed compromised hosts, within 48 hours for host scan requests, and within 72\nhours for reimaging of hosts) upon direction from the VA-NSOC. The working group will also establish\nperformance metrics to measure effectiveness of the incident response activities, and has already\nworked to incorporate new metrics into the May 2014 OIT MPR. The target implementation date for\nadditional VA policy revision and performance metrics is 30 September 2014. The working group will also\nestablish performance metrics to measure effectiveness of the incident response activities, and has\nalready worked to incorporate new metrics into the May 2014 OIT Performance Review (PR).\n\nThe target date for revising VA\xe2\x80\x99s Incident Response Plan to include new performance metrics is 30\nSeptember 2014. OIT and the VA-NSOC participated and tested incident response capabilities during the\nVA National Level Exercise in July 2012. The Incident Response Working Group will continue to review\n\n\nVA Office of Inspector General                                                                       37\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\npast cyber security incident response testing and recommend testing the incident response capability on\nan annual basis. VA will also coordinate with the Department of Homeland Security to participate in other\nupcoming cyber incident response exercises that may be planned by the United States Computer\nEmergency Response Team. The target date for testing the department\xe2\x80\x99s incident response capability is\n31 December 2014. The VA-NSOC worked with the IT Workforce Development office during 2012 and\n2013 to develop the NSOC Cyber Security Competency Model in the VA Talent Management System\n(TMS). The competency model is currently used by all VA-NSOC personnel. All supervisors are also\nrequired to complete supervisory training in TMS, as well as attend an on-site week of training in the core\ncompetencies of supervision in the VA and federal service. OIT will ensure that role based security\nincident response training is included in the Individual Development Plans, and completed by the\nappropriate incident response personnel.\n\nTarget Completion Date \xe2\x80\x93 December 31. 2014\n\nRecommendation 24: We recommend the Executive in Charge for Information and Technology provide\nthe OIG with timely and formal notifications of network intrusions and system compromises in accordance\nwith FISMA. (This is a new recommendation.)\n\nOIT Response: Concur. We are currently providing OIG with timely and formal notification of network\nintrusions and system compromises in accordance with FISMA. This is accomplished via automatic\nnotification in Remedy to OIG\xe2\x80\x99s Computer Crimes division. Our Standard Operating Procedure and a\nsample of transmissions is attached.\n\nComplete \xe2\x80\x93 Recommend Closure\n\nRecommendation 25: We recommend the Executive in Charge for Information and Technology develop\na listing of approved software and implement continuous monitoring processes to identify and prevent the\nuse of unauthorized application software, hardware and system configurations on its networks. (This is a\nmodified repeat recommendation from last year.)\n\nOIT Response: Concur. Implementation on this recommendation continues. VA has a white list for\napproved software and a black for unauthorized software. VA has a process for requesting adding\nsoftware for the white list. Implementation for continuous monitoring to prevent use of unauthorized is\nstill underway.\n\nTarget Completion Date: September 30, 2014\n\nRecommendation 26: We recommend the Executive in Charge for Information and Technology develop\na comprehensive software inventory process to identify major and minor software applications used to\nsupport VA programs and operations. (This is a modified repeat recommendation from last year.)\n\nOIT Response: Concur. VA has a white list for approved software and a black list for unauthorized\nsoftware. VA has several tools such as Tivoli Endpoint Manager, Microsoft\xe2\x80\x99s System Center\nConfiguration Manager and Orion, which when fully deployed will identify major and minor software\napplications.\n\nComplete \xe2\x80\x93 Recommend Closure\n\nRecommendation 27: We recommend the Acting Assistant Secretary for Information and Technology\ndevelop procedures to integrate information security costs into the capital planning process while\nensuring traceability of Plans of Action and Milestones remediation costs to appropriate capital planning\nbudget documents. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. Office of Information Technology (OIT) will develop procedures that require\nPlans of Action and Milestones (POA&Ms) to be formally included in OIT's Planning, Programming,\nBudgeting, and Execution Process (PPBE). The PPBE process will provide traceability from projects, up\n\n\nVA Office of Inspector General                                                                          38\n\x0c                                    VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nthrough programs and into investments (the latter captured as Exhibit 300s and colloquially referred to as\nthe Capital Planning and Investment Control [CPIC] process). Subsequent to the policy statement, a\nprocess will be developed and issued instructing POA&M developers how to enter their material into the\nPPBE process for programmatic and funding consideration. These two steps will provide funding\ntraceability from POA&M through PPBE and into CPIC (Exhibit 300s).\n\nTarget Completion Date: June 30, 2014\n\nRecommendation 28: We recommend the Executive in Charge for Information and Technology\nimplement procedures for overseeing contractor-managed cloud-based systems, ensuring OIG access to\nthose systems, and ensuring information security controls adequately protect VA sensitive systems and\ndata. (This is a modified repeat recommendation from last year.)\n\nOIT Response: Concur. VA 6500.6 provides guidance regarding oversight of contractor managed\nsystems. Consistent with this policy, VA requires managed service providers to comply with these\nstandards, inclusive of supporting on-site Security Controls Assessments (SCAs) and allowing routine\ncompliance monitoring by the NSOC. To address this concern (Phase 1), where appropriate, the\nTechnical Acquisition Center (TAC) is incorporating language into Performance Work Statements that\nrequires the contractor to preserve such data, records, logs and other evidence which are reasonably\nnecessary to conduct a thorough investigation of any computer security incident, to fully cooperate with\nall audits, inspections, investigations, or other reviews conducted by or on behalf of the Contracting\nOfficer or the agency Office of Inspector General and to provide the Contracting Officer, designated\nrepresentative of the Contracting Officer, and representatives of the agency's Office of Inspector General,\nfull and free access to the Contractor's (and Subcontractors') facilities, installations, operations\ndocumentation, databases, and personnel used for contract hosting services.\n\nThe long term solution (Phase 2) specific to contractor-managed cloud-based systems, the \xe2\x80\x9cCloud\nComputing\xe2\x80\x9d related clauses developed are required to go through formal rulemaking. They cannot be\nconsidered as either a modification to, nor an Alternate of an existing FAR clause (FAR 52.215-2 \xe2\x80\x93 Audit\nand Records\xe2\x80\x94Negotiation (OCT 2010)). Note that \xe2\x80\x9cmodifications\xe2\x80\x9d are considered minor changes and an\n\xe2\x80\x9cAlternate\xe2\x80\x9d to a given provision or clause is prescribed in the FAR subject text where Alternates are\nprescribed. The clause language does not fit under either definition. FAR 52.215-2 is an existing FAR\nclause. The proposed \xe2\x80\x9cCloud Computing\xe2\x80\x9d clause and optional clause paragraphs impose substantial\nnew burdens on contractors and the public, as well as including substantial record-keeping requirements\non contractors and strict notification requirements to the government (such as reporting security\nincidents). OI&T will work with the Office of Acquisition, Logistics and Construction to develop a long-\nterm clause solution.\n\nTarget Completion Date: Phase 1 \xe2\x80\x93 October 1, 2014, Phase 2 \xe2\x80\x93 TBD, Based on time for Rulemaking\n\nRecommendation 29: We recommend the Executive in Charge for Information and Technology\nimplement mechanisms for updating the Federal Information Security Management Act systems\ninventory, including contractor-managed systems and interfaces, and annually review the systems\ninventory for accuracy. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. The VA is continuing to improve efforts towards obtaining the highest degree\npossible of accuracy of its FISMA systems. At present, IBM Endpoint Manager is present on 95% of the\nDepartment\xe2\x80\x99s servers and desktops. Further, Solarwinds is on an equivalent percentage of the network\ndevices. Excluded systems and devices defined as \xe2\x80\x9cother\xe2\x80\x9d are being reviewed to determine the\nappropriate steps required to complete the inventory. The system inventory, maintained by GRC, is\nreviewed continuously by the Risk Vision Working Group and by OIS management. Completed annual\nreview and are moving to a monthly validation of systems in the inventory to ensure they are assigned to\nthe proper accreditation boundary.\n\nTarget Completion Date: Completed.\n\n\n\n\nVA Office of Inspector General                                                                          39\n\x0c                                   VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nRecommendation 30: We recommend the Executive in Charge for Information and Technology\nimplement mechanisms to ensure all users with VA network access participate in and complete required\nVA-sponsored security awareness training. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. VA continues to excel in the area of security awareness training, reporting that\nmore than 98% of VA staff and contractors take updated security awareness training annually.\nCompliance to this training requirement is constantly monitored throughout the year and training stand\ndowns occur for all organizations within VA each March. 100% of users should have completed security\nawareness training before access is granted. VA policy as stated in 6500 is to not grant access until\nsecurity awareness training is completed. IT Workforce Development can run TMS reports to verify if a\nperson has completed the training but has no way to determine when access was granted. The local ISO\nauthorizes network access. Office of Information Technology (OIT) will continue to work with the various\nVA entities specifically identified in this report to ensure the completion of #10176 VA Privacy and\nInformation Security Awareness and Rules of Behavior in the VA's Talent Management System (TMS).\nThis training is the Inspector General's (IG's) accepted training process currently developed each year by\nthe mandatory training business owner, OIT's IT Workforce Development team. VA\xe2\x80\x99s most current\ncompliance rate is attached.\n\nTarget Completion Date: Completed.\n\n\n\n\nVA Office of Inspector General                                                                         40\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nAppendix E          Office of Inspector               General       Contact        and      Staff\n                    Acknowledgements\n\n                      OIG Contact \t              For more information about this report, please\n                                                 contact the Office of Inspector General at\n                                                 (202) 461-4720.\n\n                      Acknowledgments            Michael Bowman, Director\n                                                 Carol Buzolich\n                                                 Elijah Chapman\n                                                 Michael Miller\n                                                 Neil Packard\n                                                 Richard Purifoy\n                                                 Felita Traynham\n\n\n\n\nVA Office of Inspector General                                                                  41\n\x0c                                 VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2013\n\n\nAppendix F          Report Distribution\n\n                    VA Distribution\n\n                    Office of the Secretary\n                    Veterans Health Administration\n                    Veterans Benefits Administration\n                    National Cemetery Administration\n                    Assistant Secretaries\n                    Office of General Counsel\n\n                    Non-VA Distribution\n\n                    House Committee on Veterans\xe2\x80\x99 Affairs \n\n                    House Appropriations Subcommittee on Military Construction, \n\n                     Veterans Affairs and Related Agencies\n                    House Committee on Oversight and Government Reform\n                    Senate Committee on Veterans\xe2\x80\x99 Affairs\n                    Senate Appropriations Subcommittee on Military Construction,\n                     Veterans Affairs and Related Agencies\n                    Senate Committee on Homeland Security and Governmental Affairs\n                    Government Accountability Office\n                    Office of Management and Budget\n                    Department of Homeland Security\n\n\n\n\n              This report is available on our Web site at www.va.gov/oig.\n\n\n\n\nVA Office of Inspector General                                                                  42\n\x0c"